# HG changeset patch # User Gregory Szorc # Date 2016-05-05 06:38:34 # Node ID c8fbfb9163ce786d0feee162365bd5353d6dbe20 # Parent fe7ebef8796a8a7e1668ed15ddcb8c49c1999f05 sslutil: move code examining _canloaddefaultcerts out of _defaultcacerts Before, the return of _defaultcacerts() was 1 of 3 types. This was difficult to read. Make it return a path or None. We had to update hghave.py in the same patch because it was also looking at this internal function. I wasted dozens of minutes trying to figure out why tests were failing until I found the code in hghave.py... diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -222,14 +222,13 @@ def _plainapplepython(): exe.startswith('/system/library/frameworks/python.framework/')) def _defaultcacerts(): - """return path to CA certificates; None for system's store; ! to disable""" + """return path to default CA certificates or None.""" if _plainapplepython(): dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem') if os.path.exists(dummycert): return dummycert - if _canloaddefaultcerts: - return None - return '!' + + return None def sslkwargs(ui, host): """Determine arguments to pass to wrapsocket(). @@ -262,8 +261,12 @@ def sslkwargs(ui, host): # No CAs in config. See if we can load defaults. cacerts = _defaultcacerts() - if cacerts and cacerts != '!': + if cacerts: ui.debug('using %s to enable OS X system CA\n' % cacerts) + else: + if not _canloaddefaultcerts: + cacerts = '!' + ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts') if cacerts != '!': diff --git a/tests/hghave.py b/tests/hghave.py --- a/tests/hghave.py +++ b/tests/hghave.py @@ -416,7 +416,7 @@ def has_sslcontext(): @check("defaultcacerts", "can verify SSL certs by system's CA certs store") def has_defaultcacerts(): from mercurial import sslutil - return sslutil._defaultcacerts() != '!' + return sslutil._defaultcacerts() or sslutil._canloaddefaultcerts @check("windows", "Windows") def has_windows():