259 'cert_reqs': ssl.CERT_REQUIRED}) |
259 'cert_reqs': ssl.CERT_REQUIRED}) |
260 return kws |
260 return kws |
261 |
261 |
262 # No CAs in config. See if we can load defaults. |
262 # No CAs in config. See if we can load defaults. |
263 cacerts = _defaultcacerts() |
263 cacerts = _defaultcacerts() |
|
264 |
|
265 # We found an alternate CA bundle to use. Load it. |
264 if cacerts: |
266 if cacerts: |
265 ui.debug('using %s to enable OS X system CA\n' % cacerts) |
267 ui.debug('using %s to enable OS X system CA\n' % cacerts) |
266 else: |
268 ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts') |
267 if not _canloaddefaultcerts: |
|
268 cacerts = '!' |
|
269 |
|
270 ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts') |
|
271 |
|
272 if cacerts != '!': |
|
273 kws.update({'ca_certs': cacerts, |
269 kws.update({'ca_certs': cacerts, |
274 'cert_reqs': ssl.CERT_REQUIRED, |
270 'cert_reqs': ssl.CERT_REQUIRED}) |
275 }) |
271 return kws |
|
272 |
|
273 # FUTURE this can disappear once wrapsocket() is secure by default. |
|
274 if _canloaddefaultcerts: |
|
275 kws['cert_reqs'] = ssl.CERT_REQUIRED |
|
276 return kws |
|
277 |
|
278 # This is effectively indicating that no CAs can be loaded because |
|
279 # we can't get here if web.cacerts is set or if we can find |
|
280 # CA certs elsewhere. Using a config option (which is later |
|
281 # consulted by validator.__call__ is not very obvious). |
|
282 # FUTURE fix this |
|
283 ui.setconfig('web', 'cacerts', '!', 'defaultcacerts') |
276 return kws |
284 return kws |
277 |
285 |
278 class validator(object): |
286 class validator(object): |
279 def __init__(self, ui, host): |
287 def __init__(self, ui, host): |
280 self.ui = ui |
288 self.ui = ui |