Mercurial > public > mercurial-scm > hg

diff mercurial/sslutil.py @ 22575:d7f7f1860f00

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs This will give PKI-secure behaviour out of the box, without any configuration. Setting web.cacerts to any value or empty will disable this trick. This dummy cert trick only works on OS X 10.6+, but 10.5 had Python 2.5 which didn't have certificate validation at all.
author Mads Kiilerich <madski@unity3d.com>
date Fri, 26 Sep 2014 02:19:48 +0200
parents a00a7951b20c
children 2cd3fa4412dc
line wrap: on
line diff
--- a/mercurial/sslutil.py	Fri Sep 26 02:19:47 2014 +0200
+++ b/mercurial/sslutil.py	Fri Sep 26 02:19:48 2014 +0200
@@ -6,7 +6,7 @@
 #
 # This software may be used and distributed according to the terms of the
 # GNU General Public License version 2 or any later version.
-import os
+import os, sys
 
 from mercurial import util
 from mercurial.i18n import _
@@ -104,6 +104,13 @@
         cacerts = util.expandpath(cacerts)
         if not os.path.exists(cacerts):
             raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
+    elif cacerts is None and sys.platform == 'darwin' and not util.mainfrozen():
+        dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
+        if os.path.exists(dummycert):
+            ui.debug('using %s to enable OS X system CA\n' % dummycert)
+            ui.setconfig('web', 'cacerts', dummycert, 'dummy')
+            cacerts = dummycert
+    if cacerts:
         kws.update({'ca_certs': cacerts,
                     'cert_reqs': CERT_REQUIRED,
                     })