diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -197,7 +197,7 @@ def _hostsettings(ui, hostname):
                                       cafile)
             else:
                 # CAs not defined in config. Try to find system bundles.
-                cafile = _defaultcacerts()
+                cafile = _defaultcacerts(ui)
                 if cafile:
                     ui.debug('using %s for CA file\n' % cafile)
 
@@ -430,7 +430,7 @@ def _plainapplepython():
     return (exe.startswith('/usr/bin/python') or
             exe.startswith('/system/library/frameworks/python.framework/'))
 
-def _defaultcacerts():
+def _defaultcacerts(ui):
     """return path to default CA certificates or None."""
     if _plainapplepython():
         dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
diff --git a/tests/hghave.py b/tests/hghave.py
--- a/tests/hghave.py
+++ b/tests/hghave.py
@@ -415,20 +415,22 @@ def has_sslcontext():
 
 @check("defaultcacerts", "can verify SSL certs by system's CA certs store")
 def has_defaultcacerts():
-    from mercurial import sslutil
-    return sslutil._defaultcacerts() or sslutil._canloaddefaultcerts
+    from mercurial import sslutil, ui as uimod
+    ui = uimod.ui()
+    return sslutil._defaultcacerts(ui) or sslutil._canloaddefaultcerts
 
 @check("defaultcacertsloaded", "detected presence of loaded system CA certs")
 def has_defaultcacertsloaded():
     import ssl
-    from mercurial import sslutil
+    from mercurial import sslutil, ui as uimod
 
     if not has_defaultcacerts():
         return False
     if not has_sslcontext():
         return False
 
-    cafile = sslutil._defaultcacerts()
+    ui = uimod.ui()
+    cafile = sslutil._defaultcacerts(ui)
     ctx = ssl.create_default_context()
     if cafile:
         ctx.load_verify_locations(cafile=cafile)