[PATCH STABLE v2] sslutil: guard against broken certifi installations (issue5406)

[Gábor Stefanik]

# HG changeset patch
# User Gábor Stefanik <gabor.stefanik at nng.com>
# Date 1476893174 -7200
#      Wed Oct 19 18:06:14 2016 +0200
# Branch stable
# Node ID c3fe0e56546a44a7961354d4840cdcb82cbecefc
# Parent  76c57e1fe79b0980b377b4f305635dea393d6315
sslutil: guard against broken certifi installations (issue5406)

Certifi is currently incompatible with py2exe; the Python code for certifi gets
included in library.zip, but not the cacert.pem file - and even if it were
included, SSLContext can't load a cacert.pem file from library.zip.
This currently makes it impossible to build a standalone Windows version of
Mercurial.

Guard against this, and possibly other situations where a module with the name
"certifi" exists, but is not usable.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -690,14 +690,15 @@
     We don't print a message when the Python is able to load default
     CA certs because this scenario is detected at socket connect time.
     """
-    # The "certifi" Python package provides certificates. If it is installed,
-    # assume the user intends it to be used and use it.
+    # The "certifi" Python package provides certificates. If it is installed
+    # and usable, assume the user intends it to be used and use it.
     try:
         import certifi
         certs = certifi.where()
-        ui.debug('using ca certificates from certifi\n')
-        return certs
-    except ImportError:
+        if os.path.exists(certs):
+            ui.debug('using ca certificates from certifi\n')
+            return certs
+    except (ImportError, AttributeError):
         pass
 
     # On Windows, only the modern ssl module is capable of loading the system