# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 2016-07-04 16:58:45
# Node ID a62c00f6dd0418cbcb36e8b3eaa2f8c4ba12a8f3
# Parent  6a98f9408a504be455d4382801610daceac429e6

sslutil: use certificates provided by certifi if available

The "certifi" Python package provides a distribution of the
Mozilla trusted CA certificates as a Python package. If it is
present, we assume the user intends it to be used and we use
it to provide the default CA certificates when certificates
are otherwise not configured.

It's worth noting that this behavior roughly matches the popular
"requests" package, which also attempts to use "certifi" if
present.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -432,6 +432,16 @@ def _plainapplepython():
 
 def _defaultcacerts(ui):
     """return path to default CA certificates or None."""
+    # The "certifi" Python package provides certificates. If it is installed,
+    # assume the user intends it to be used and use it.
+    try:
+        import certifi
+        certs = certifi.where()
+        ui.debug('using ca certificates from certifi\n')
+        return certs
+    except ImportError:
+        pass
+
     if _plainapplepython():
         dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
         if os.path.exists(dummycert):