# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 2016-07-02 02:17:45
# Node ID 53b7fc7cc2bbbcd1c344ce50519a868cac7ed9ac
# Parent  918dce4b8c26efebc40853d39a121e9174f3f3d8

sslutil: don't attempt to find default CA certs file when told not to

Before, devel.disableloaddefaultcerts only impacted the loading of
default certs via SSLContext. After this patch, the config option also
prevents sslutil._defaultcacerts() from being called.

This config option is meant to be used by tests to force no CA certs
to be loaded. Future patches will enable _defaultcacerts() to have
success more often. Without this change we can't reliably test the
failure to load CA certs. (This patch also likely fixes test failures
on some OS X configurations.)

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -195,7 +195,7 @@ def _hostsettings(ui, hostname):
                 if not os.path.exists(cafile):
                     raise error.Abort(_('could not find web.cacerts: %s') %
                                       cafile)
-            else:
+            elif s['allowloaddefaultcerts']:
                 # CAs not defined in config. Try to find system bundles.
                 cafile = _defaultcacerts(ui)
                 if cafile: