##// END OF EJS Templates
sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it
Manuel Jacob -
r45416:7dd63a8c default
parent child Browse files
Show More
@@ -52,8 +52,6 b" if util.safehasattr(ssl, b'PROTOCOL_TLSv"
52 if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
52 if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
53 supportedprotocols.add(b'tls1.2')
53 supportedprotocols.add(b'tls1.2')
54
54
55 _canloaddefaultcerts = True
56
57
55
58 def _hostsettings(ui, hostname):
56 def _hostsettings(ui, hostname):
59 """Obtain security settings for a hostname.
57 """Obtain security settings for a hostname.
@@ -227,7 +225,7 b' def _hostsettings(ui, hostname):'
227
225
228 # Require certificate validation if CA certs are being loaded and
226 # Require certificate validation if CA certs are being loaded and
229 # verification hasn't been disabled above.
227 # verification hasn't been disabled above.
230 if cafile or (_canloaddefaultcerts and s[b'allowloaddefaultcerts']):
228 if cafile or s[b'allowloaddefaultcerts']:
231 s[b'verifymode'] = ssl.CERT_REQUIRED
229 s[b'verifymode'] = ssl.CERT_REQUIRED
232 else:
230 else:
233 # At this point we don't have a fingerprint, aren't being
231 # At this point we don't have a fingerprint, aren't being
@@ -721,14 +719,6 b' def _plainapplepython():'
721 )
719 )
722
720
723
721
724 _systemcacertpaths = [
725 # RHEL, CentOS, and Fedora
726 b'/etc/pki/tls/certs/ca-bundle.trust.crt',
727 # Debian, Ubuntu, Gentoo
728 b'/etc/ssl/certs/ca-certificates.crt',
729 ]
730
731
732 def _defaultcacerts(ui):
722 def _defaultcacerts(ui):
733 """return path to default CA certificates or None.
723 """return path to default CA certificates or None.
734
724
@@ -751,23 +741,6 b' def _defaultcacerts(ui):'
751 except (ImportError, AttributeError):
741 except (ImportError, AttributeError):
752 pass
742 pass
753
743
754 # On Windows, only the modern ssl module is capable of loading the system
755 # CA certificates. If we're not capable of doing that, emit a warning
756 # because we'll get a certificate verification error later and the lack
757 # of loaded CA certificates will be the reason why.
758 # Assertion: this code is only called if certificates are being verified.
759 if pycompat.iswindows:
760 if not _canloaddefaultcerts:
761 ui.warn(
762 _(
763 b'(unable to load Windows CA certificates; see '
764 b'https://mercurial-scm.org/wiki/SecureConnections for '
765 b'how to configure Mercurial to avoid this message)\n'
766 )
767 )
768
769 return None
770
771 # Apple's OpenSSL has patches that allow a specially constructed certificate
744 # Apple's OpenSSL has patches that allow a specially constructed certificate
772 # to load the system CA store. If we're running on Apple Python, use this
745 # to load the system CA store. If we're running on Apple Python, use this
773 # trick.
746 # trick.
@@ -778,58 +751,6 b' def _defaultcacerts(ui):'
778 if os.path.exists(dummycert):
751 if os.path.exists(dummycert):
779 return dummycert
752 return dummycert
780
753
781 # The Apple OpenSSL trick isn't available to us. If Python isn't able to
782 # load system certs, we're out of luck.
783 if pycompat.isdarwin:
784 # FUTURE Consider looking for Homebrew or MacPorts installed certs
785 # files. Also consider exporting the keychain certs to a file during
786 # Mercurial install.
787 if not _canloaddefaultcerts:
788 ui.warn(
789 _(
790 b'(unable to load CA certificates; see '
791 b'https://mercurial-scm.org/wiki/SecureConnections for '
792 b'how to configure Mercurial to avoid this message)\n'
793 )
794 )
795 return None
796
797 # / is writable on Windows. Out of an abundance of caution make sure
798 # we're not on Windows because paths from _systemcacerts could be installed
799 # by non-admin users.
800 assert not pycompat.iswindows
801
802 # Try to find CA certificates in well-known locations. We print a warning
803 # when using a found file because we don't want too much silent magic
804 # for security settings. The expectation is that proper Mercurial
805 # installs will have the CA certs path defined at install time and the
806 # installer/packager will make an appropriate decision on the user's
807 # behalf. We only get here and perform this setting as a feature of
808 # last resort.
809 if not _canloaddefaultcerts:
810 for path in _systemcacertpaths:
811 if os.path.isfile(path):
812 ui.warn(
813 _(
814 b'(using CA certificates from %s; if you see this '
815 b'message, your Mercurial install is not properly '
816 b'configured; see '
817 b'https://mercurial-scm.org/wiki/SecureConnections '
818 b'for how to configure Mercurial to avoid this '
819 b'message)\n'
820 )
821 % path
822 )
823 return path
824
825 ui.warn(
826 _(
827 b'(unable to load CA certificates; see '
828 b'https://mercurial-scm.org/wiki/SecureConnections for '
829 b'how to configure Mercurial to avoid this message)\n'
830 )
831 )
832
833 return None
754 return None
834
755
835
756
General Comments 0
You need to be logged in to leave comments. Login now