Mercurial > public > mercurial-scm > hg
comparison mercurial/sslutil.py @ 29489:54ad81b0665f
sslutil: handle default CA certificate loading on Windows
See the inline comment for what's going on here.
There is magic built into the "ssl" module that ships with modern
CPython that knows how to load the system CA certificates on
Windows. Since we're not shipping a CA bundle with Mercurial,
if we're running on legacy CPython there's nothing we can do
to load CAs on Windows, so it makes sense to print a warning.
I don't anticipate many people will see this warning because
the official (presumed popular) Mercurial distributions on
Windows bundle Python and should be distributing a modern Python
capable of loading system CA certs.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Mon, 04 Jul 2016 10:04:11 -0700 |
| parents | 1c26b9ce66f8 |
| children | 9c5325c79683 |
comparison
equal
deleted
inserted
replaced
| 29488:1c26b9ce66f8 | 29489:54ad81b0665f |
|---|---|
| 445 ui.debug('using ca certificates from certifi\n') | 445 ui.debug('using ca certificates from certifi\n') |
| 446 return certs | 446 return certs |
| 447 except ImportError: | 447 except ImportError: |
| 448 pass | 448 pass |
| 449 | 449 |
| 450 # On Windows, only the modern ssl module is capable of loading the system | |
| 451 # CA certificates. If we're not capable of doing that, emit a warning | |
| 452 # because we'll get a certificate verification error later and the lack | |
| 453 # of loaded CA certificates will be the reason why. | |
| 454 # Assertion: this code is only called if certificates are being verified. | |
| 455 if os.name == 'nt': | |
| 456 if not _canloaddefaultcerts: | |
| 457 ui.warn(_('(unable to load Windows CA certificates; see ' | |
| 458 'https://mercurial-scm.org/wiki/SecureConnections for ' | |
| 459 'how to configure Mercurial to avoid this message)\n')) | |
| 460 | |
| 461 return None | |
| 462 | |
| 450 # Apple's OpenSSL has patches that allow a specially constructed certificate | 463 # Apple's OpenSSL has patches that allow a specially constructed certificate |
| 451 # to load the system CA store. If we're running on Apple Python, use this | 464 # to load the system CA store. If we're running on Apple Python, use this |
| 452 # trick. | 465 # trick. |
| 453 if _plainapplepython(): | 466 if _plainapplepython(): |
| 454 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem') | 467 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem') |