# HG changeset patch # User Gregory Szorc # Date 2016-05-05 06:01:49 # Node ID fe7ebef8796a8a7e1668ed15ddcb8c49c1999f05 # Parent 548e9c8c284120af19d2b0e26c27cb87288383a0 sslutil: further refactor sslkwargs The logic here and what happens with web.cacerts is mind numbing. Make the code even more explicit. diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -249,17 +249,22 @@ def sslkwargs(ui, host): if cacerts == '!': return kws + # If a value is set in the config, validate against a path and load + # and require those certs. if cacerts: cacerts = util.expandpath(cacerts) if not os.path.exists(cacerts): raise error.Abort(_('could not find web.cacerts: %s') % cacerts) - else: - # CA certs aren't explicitly listed in the config. See if we can load - # defaults. - cacerts = _defaultcacerts() - if cacerts and cacerts != '!': - ui.debug('using %s to enable OS X system CA\n' % cacerts) - ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts') + + kws.update({'ca_certs': cacerts, + 'cert_reqs': ssl.CERT_REQUIRED}) + return kws + + # No CAs in config. See if we can load defaults. + cacerts = _defaultcacerts() + if cacerts and cacerts != '!': + ui.debug('using %s to enable OS X system CA\n' % cacerts) + ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts') if cacerts != '!': kws.update({'ca_certs': cacerts,