# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 2016-07-15 02:56:39
# Node ID 53de8255ec4e33ba1ef783e737c6c18449afa5f0
# Parent  1b8b6adb2365b4f8674b7c4964be0c2d234cd6a5

sslutil: update comment about create_default_context()

While ssl.create_default_context() creates a SSLContext with
reasonable default options, we can't use it because it conflicts with
our CA loading controls. So replace the comment with reality.

(FWIW the comment was written before the existing CA loading code
was in place.)

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -264,7 +264,13 @@ def wrapsocket(sock, keyfile, certfile, 
 
     settings = _hostsettings(ui, serverhostname)
 
-    # TODO use ssl.create_default_context() on modernssl.
+    # We can't use ssl.create_default_context() because it calls
+    # load_default_certs() unless CA arguments are passed to it. We want to
+    # have explicit control over CA loading because implicitly loading
+    # CAs may undermine the user's intent. For example, a user may define a CA
+    # bundle with a specific CA cert removed. If the system/default CA bundle
+    # is loaded and contains that removed CA, you've just undone the user's
+    # choice.
     sslcontext = SSLContext(settings['protocol'])
 
     # This is a no-op unless using modern ssl.