upstream/mercurial-mirror Commit - r29557:53de8255

sslutil: update comment about create_default_context()...

Gregory Szorc -

r29557:53de8255 default

parent child

mercurial/sslutil.py

0 +7 -1

                 settings = _hostsettings(ui, serverhostname)
-                # TODO use ssl.create_default_context() on modernssl.
+                # We can't use ssl.create_default_context() because it calls
+                # load_default_certs() unless CA arguments are passed to it. We want to
+                # have explicit control over CA loading because implicitly loading
+                # CAs may undermine the user's intent. For example, a user may define a CA
+                # bundle with a specific CA cert removed. If the system/default CA bundle
+                # is loaded and contains that removed CA, you've just undone the user's
+                # choice.
                 sslcontext = SSLContext(settings['protocol'])
                 # This is a no-op unless using modern ssl.

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages