Show More
| @@ -430,12 +430,22 b' def _plainapplepython():' | |||||
| 430 | return (exe.startswith('/usr/bin/python') or |
|
430 | return (exe.startswith('/usr/bin/python') or | |
| 431 | exe.startswith('/system/library/frameworks/python.framework/')) |
|
431 | exe.startswith('/system/library/frameworks/python.framework/')) | |
| 432 |
|
432 | |||
|
|
433 | _systemcacertpaths = [ | |||
|
|
434 | # RHEL, CentOS, and Fedora | |||
|
|
435 | '/etc/pki/tls/certs/ca-bundle.trust.crt', | |||
|
|
436 | # Debian, Ubuntu, Gentoo | |||
|
|
437 | '/etc/ssl/certs/ca-certificates.crt', | |||
|
|
438 | ] | |||
|
|
439 | ||||
| 433 | def _defaultcacerts(ui): |
|
440 | def _defaultcacerts(ui): | |
| 434 | """return path to default CA certificates or None. |
|
441 | """return path to default CA certificates or None. | |
| 435 |
|
442 | |||
| 436 | It is assumed this function is called when the returned certificates |
|
443 | It is assumed this function is called when the returned certificates | |
| 437 | file will actually be used to validate connections. Therefore this |
|
444 | file will actually be used to validate connections. Therefore this | |
| 438 | function may print warnings or debug messages assuming this usage. |
|
445 | function may print warnings or debug messages assuming this usage. | |
|
|
446 | ||||
|
|
447 | We don't print a message when the Python is able to load default | |||
|
|
448 | CA certs because this scenario is detected at socket connect time. | |||
| 439 | """ |
|
449 | """ | |
| 440 | # The "certifi" Python package provides certificates. If it is installed, |
|
450 | # The "certifi" Python package provides certificates. If it is installed, | |
| 441 | # assume the user intends it to be used and use it. |
|
451 | # assume the user intends it to be used and use it. | |
| @@ -480,6 +490,28 b' def _defaultcacerts(ui):' | |||||
| 480 | 'how to configure Mercurial to avoid this message)\n')) |
|
490 | 'how to configure Mercurial to avoid this message)\n')) | |
| 481 | return None |
|
491 | return None | |
| 482 |
|
492 | |||
|
|
493 | # Try to find CA certificates in well-known locations. We print a warning | |||
|
|
494 | # when using a found file because we don't want too much silent magic | |||
|
|
495 | # for security settings. The expectation is that proper Mercurial | |||
|
|
496 | # installs will have the CA certs path defined at install time and the | |||
|
|
497 | # installer/packager will make an appropriate decision on the user's | |||
|
|
498 | # behalf. We only get here and perform this setting as a feature of | |||
|
|
499 | # last resort. | |||
|
|
500 | if not _canloaddefaultcerts: | |||
|
|
501 | for path in _systemcacertpaths: | |||
|
|
502 | if os.path.isfile(path): | |||
|
|
503 | ui.warn(_('(using CA certificates from %s; if you see this ' | |||
|
|
504 | 'message, your Mercurial install is not properly ' | |||
|
|
505 | 'configured; see ' | |||
|
|
506 | 'https://mercurial-scm.org/wiki/SecureConnections ' | |||
|
|
507 | 'for how to configure Mercurial to avoid this ' | |||
|
|
508 | 'message)\n') % path) | |||
|
|
509 | return path | |||
|
|
510 | ||||
|
|
511 | ui.warn(_('(unable to load CA certificates; see ' | |||
|
|
512 | 'https://mercurial-scm.org/wiki/SecureConnections for ' | |||
|
|
513 | 'how to configure Mercurial to avoid this message)\n')) | |||
|
|
514 | ||||
| 483 | return None |
|
515 | return None | |
| 484 |
|
516 | |||
| 485 | def validatesocket(sock): |
|
517 | def validatesocket(sock): | |
| @@ -56,6 +56,7 b' we are able to load CA certs.' | |||||
| 56 |
|
56 | |||
| 57 | #if no-sslcontext defaultcacerts |
|
57 | #if no-sslcontext defaultcacerts | |
| 58 | $ hg clone https://localhost:$HGPORT/ copy-pull |
|
58 | $ hg clone https://localhost:$HGPORT/ copy-pull | |
|
|
59 | (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) | |||
| 59 | abort: error: *certificate verify failed* (glob) |
|
60 | abort: error: *certificate verify failed* (glob) | |
| 60 | [255] |
|
61 | [255] | |
| 61 | #endif |
|
62 | #endif | |
| @@ -77,6 +78,7 b' we are able to load CA certs.' | |||||
| 77 |
|
78 | |||
| 78 | #if defaultcacertsloaded |
|
79 | #if defaultcacertsloaded | |
| 79 | $ hg clone https://localhost:$HGPORT/ copy-pull |
|
80 | $ hg clone https://localhost:$HGPORT/ copy-pull | |
|
|
81 | (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) | |||
| 80 | abort: error: *certificate verify failed* (glob) |
|
82 | abort: error: *certificate verify failed* (glob) | |
| 81 | [255] |
|
83 | [255] | |
| 82 | #endif |
|
84 | #endif | |
| @@ -58,6 +58,7 b' we are able to load CA certs:' | |||||
| 58 | this patch series consists of 1 patches. |
|
58 | this patch series consists of 1 patches. | |
| 59 |
|
59 | |||
| 60 |
|
60 | |||
|
|
61 | (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) | |||
| 61 | (?i)abort: .*?certificate.verify.failed.* (re) |
|
62 | (?i)abort: .*?certificate.verify.failed.* (re) | |
| 62 | [255] |
|
63 | [255] | |
| 63 | #endif |
|
64 | #endif | |
| @@ -67,6 +68,7 b' we are able to load CA certs:' | |||||
| 67 | this patch series consists of 1 patches. |
|
68 | this patch series consists of 1 patches. | |
| 68 |
|
69 | |||
| 69 |
|
70 | |||
|
|
71 | (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?) | |||
| 70 | (?i)abort: .*?certificate.verify.failed.* (re) |
|
72 | (?i)abort: .*?certificate.verify.failed.* (re) | |
| 71 | [255] |
|
73 | [255] | |
| 72 |
|
74 | |||
General Comments 0
You need to be logged in to leave comments.
Login now