upstream/mercurial-mirror Commit - r29500:4b16a5bd

sslutil: try to find CA certficates in well-known locations...

Gregory Szorc -

r29500:4b16a5bd default

parent child

mercurial/sslutil.py

0 +32 0

                  return (exe.startswith('/usr/bin/python') or
                          exe.startswith('/system/library/frameworks/python.framework/'))
+             _systemcacertpaths = [
+                 # RHEL, CentOS, and Fedora
+                 '/etc/pki/tls/certs/ca-bundle.trust.crt',
+                 # Debian, Ubuntu, Gentoo
+                 '/etc/ssl/certs/ca-certificates.crt',
+             ]
              def _defaultcacerts(ui):
                  """return path to default CA certificates or None.
                  It is assumed this function is called when the returned certificates
                  file will actually be used to validate connections. Therefore this
                  function may print warnings or debug messages assuming this usage.
+                 We don't print a message when the Python is able to load default
+                 CA certs because this scenario is detected at socket connect time.
                  """
                  # The "certifi" Python package provides certificates. If it is installed,
                  # assume the user intends it to be used and use it.
                                    'how to configure Mercurial to avoid this message)\n'))
                      return None
+                 # Try to find CA certificates in well-known locations. We print a warning
+                 # when using a found file because we don't want too much silent magic
+                 # for security settings. The expectation is that proper Mercurial
+                 # installs will have the CA certs path defined at install time and the
+                 # installer/packager will make an appropriate decision on the user's
+                 # behalf. We only get here and perform this setting as a feature of
+                 # last resort.
+                 if not _canloaddefaultcerts:
+                     for path in _systemcacertpaths:
+                         if os.path.isfile(path):
+                             ui.warn(_('(using CA certificates from %s; if you see this '
+                                       'message, your Mercurial install is not properly '
+                                       'configured; see '
+                                       'https://mercurial-scm.org/wiki/SecureConnections '
+                                       'for how to configure Mercurial to avoid this '
+                                       'message)\n') % path)
+                             return path
+                     ui.warn(_('(unable to load CA certificates; see '
+                               'https://mercurial-scm.org/wiki/SecureConnections for '
+                               'how to configure Mercurial to avoid this message)\n'))
                  return None
              def validatesocket(sock):

tests/test-https.t

0 +2 0

              #if no-sslcontext defaultcacerts
                $ hg clone https://localhost:$HGPORT/ copy-pull
+               (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
                abort: error: *certificate verify failed* (glob)
                [255]
              #endif
              #if defaultcacertsloaded
                $ hg clone https://localhost:$HGPORT/ copy-pull
+               (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
                abort: error: *certificate verify failed* (glob)
                [255]
              #endif

tests/test-patchbomb-tls.t

0 +2 0

                this patch series consists of 1 patches.
+               (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
                (?i)abort: .*?certificate.verify.failed.* (re)
                [255]
              #endif
                this patch series consists of 1 patches.
+               (using CA certificates from *; if you see this message, your Mercurial install is not properly configured; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message) (glob) (?)
                (?i)abort: .*?certificate.verify.failed.* (re)
                [255]

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages