mercurial-scm/hg: mercurial/sslutil.py comparison

comparison mercurial/sslutil.py @ 29108:16021d58c5ca

sslutil: make sslkwargs code even more explicit The ways in which this code can interact with socket wrapping and validation later are mind numbing. This patch helps make it even more clear. The end behavior should be identical.

author	Gregory Szorc <gregory.szorc@gmail.com>
date	Thu, 05 May 2016 00:32:43 -0700
parents	c8fbfb9163ce
children	843df550b465

comparison

equal deleted inserted replaced

-:c8fbfb9163ce
+:16021d58c5ca
 'cert_reqs': ssl.CERT_REQUIRED})
 return kws
 # No CAs in config. See if we can load defaults.
 cacerts = _defaultcacerts()
+# We found an alternate CA bundle to use. Load it.
 if cacerts:
 ui.debug('using %s to enable OS X system CA\n' % cacerts)
-else:
+ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
-if not _canloaddefaultcerts:
-cacerts = '!'
-ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
-if cacerts != '!':
 kws.update({'ca_certs': cacerts,
-'cert_reqs': ssl.CERT_REQUIRED,
+'cert_reqs': ssl.CERT_REQUIRED})
-})
+return kws
+# FUTURE this can disappear once wrapsocket() is secure by default.
+if _canloaddefaultcerts:
+kws['cert_reqs'] = ssl.CERT_REQUIRED
+return kws
+# This is effectively indicating that no CAs can be loaded because
+# we can't get here if web.cacerts is set or if we can find
+# CA certs elsewhere. Using a config option (which is later
+# consulted by validator.__call__ is not very obvious).
+# FUTURE fix this
+ui.setconfig('web', 'cacerts', '!', 'defaultcacerts')
 return kws
 class validator(object):
 def __init__(self, ui, host):
 self.ui = ui

Mercurial > public > mercurial-scm > hg

comparison mercurial/sslutil.py @ 29108:16021d58c5ca