Show More
| @@ -52,8 +52,6 if util.safehasattr(ssl, b'PROTOCOL_TLSv | |||
|
|
52 | 52 | if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'): |
|
|
53 | 53 | supportedprotocols.add(b'tls1.2') |
|
|
54 | 54 | |
|
|
55 | _canloaddefaultcerts = True | |
|
|
56 | ||
|
|
57 | 55 | |
|
|
58 | 56 | def _hostsettings(ui, hostname): |
|
|
59 | 57 | """Obtain security settings for a hostname. |
| @@ -227,7 +225,7 def _hostsettings(ui, hostname): | |||
|
|
227 | 225 | |
|
|
228 | 226 | # Require certificate validation if CA certs are being loaded and |
|
|
229 | 227 | # verification hasn't been disabled above. |
|
|
230 |
if cafile or |
|
|
|
228 | if cafile or s[b'allowloaddefaultcerts']: | |
|
|
231 | 229 | s[b'verifymode'] = ssl.CERT_REQUIRED |
|
|
232 | 230 | else: |
|
|
233 | 231 | # At this point we don't have a fingerprint, aren't being |
| @@ -721,14 +719,6 def _plainapplepython(): | |||
|
|
721 | 719 | ) |
|
|
722 | 720 | |
|
|
723 | 721 | |
|
|
724 | _systemcacertpaths = [ | |
|
|
725 | # RHEL, CentOS, and Fedora | |
|
|
726 | b'/etc/pki/tls/certs/ca-bundle.trust.crt', | |
|
|
727 | # Debian, Ubuntu, Gentoo | |
|
|
728 | b'/etc/ssl/certs/ca-certificates.crt', | |
|
|
729 | ] | |
|
|
730 | ||
|
|
731 | ||
|
|
732 | 722 | def _defaultcacerts(ui): |
|
|
733 | 723 | """return path to default CA certificates or None. |
|
|
734 | 724 | |
| @@ -751,23 +741,6 def _defaultcacerts(ui): | |||
|
|
751 | 741 | except (ImportError, AttributeError): |
|
|
752 | 742 | pass |
|
|
753 | 743 | |
|
|
754 | # On Windows, only the modern ssl module is capable of loading the system | |
|
|
755 | # CA certificates. If we're not capable of doing that, emit a warning | |
|
|
756 | # because we'll get a certificate verification error later and the lack | |
|
|
757 | # of loaded CA certificates will be the reason why. | |
|
|
758 | # Assertion: this code is only called if certificates are being verified. | |
|
|
759 | if pycompat.iswindows: | |
|
|
760 | if not _canloaddefaultcerts: | |
|
|
761 | ui.warn( | |
|
|
762 | _( | |
|
|
763 | b'(unable to load Windows CA certificates; see ' | |
|
|
764 | b'https://mercurial-scm.org/wiki/SecureConnections for ' | |
|
|
765 | b'how to configure Mercurial to avoid this message)\n' | |
|
|
766 | ) | |
|
|
767 | ) | |
|
|
768 | ||
|
|
769 | return None | |
|
|
770 | ||
|
|
771 | 744 | # Apple's OpenSSL has patches that allow a specially constructed certificate |
|
|
772 | 745 | # to load the system CA store. If we're running on Apple Python, use this |
|
|
773 | 746 | # trick. |
| @@ -778,58 +751,6 def _defaultcacerts(ui): | |||
|
|
778 | 751 | if os.path.exists(dummycert): |
|
|
779 | 752 | return dummycert |
|
|
780 | 753 | |
|
|
781 | # The Apple OpenSSL trick isn't available to us. If Python isn't able to | |
|
|
782 | # load system certs, we're out of luck. | |
|
|
783 | if pycompat.isdarwin: | |
|
|
784 | # FUTURE Consider looking for Homebrew or MacPorts installed certs | |
|
|
785 | # files. Also consider exporting the keychain certs to a file during | |
|
|
786 | # Mercurial install. | |
|
|
787 | if not _canloaddefaultcerts: | |
|
|
788 | ui.warn( | |
|
|
789 | _( | |
|
|
790 | b'(unable to load CA certificates; see ' | |
|
|
791 | b'https://mercurial-scm.org/wiki/SecureConnections for ' | |
|
|
792 | b'how to configure Mercurial to avoid this message)\n' | |
|
|
793 | ) | |
|
|
794 | ) | |
|
|
795 | return None | |
|
|
796 | ||
|
|
797 | # / is writable on Windows. Out of an abundance of caution make sure | |
|
|
798 | # we're not on Windows because paths from _systemcacerts could be installed | |
|
|
799 | # by non-admin users. | |
|
|
800 | assert not pycompat.iswindows | |
|
|
801 | ||
|
|
802 | # Try to find CA certificates in well-known locations. We print a warning | |
|
|
803 | # when using a found file because we don't want too much silent magic | |
|
|
804 | # for security settings. The expectation is that proper Mercurial | |
|
|
805 | # installs will have the CA certs path defined at install time and the | |
|
|
806 | # installer/packager will make an appropriate decision on the user's | |
|
|
807 | # behalf. We only get here and perform this setting as a feature of | |
|
|
808 | # last resort. | |
|
|
809 | if not _canloaddefaultcerts: | |
|
|
810 | for path in _systemcacertpaths: | |
|
|
811 | if os.path.isfile(path): | |
|
|
812 | ui.warn( | |
|
|
813 | _( | |
|
|
814 | b'(using CA certificates from %s; if you see this ' | |
|
|
815 | b'message, your Mercurial install is not properly ' | |
|
|
816 | b'configured; see ' | |
|
|
817 | b'https://mercurial-scm.org/wiki/SecureConnections ' | |
|
|
818 | b'for how to configure Mercurial to avoid this ' | |
|
|
819 | b'message)\n' | |
|
|
820 | ) | |
|
|
821 | % path | |
|
|
822 | ) | |
|
|
823 | return path | |
|
|
824 | ||
|
|
825 | ui.warn( | |
|
|
826 | _( | |
|
|
827 | b'(unable to load CA certificates; see ' | |
|
|
828 | b'https://mercurial-scm.org/wiki/SecureConnections for ' | |
|
|
829 | b'how to configure Mercurial to avoid this message)\n' | |
|
|
830 | ) | |
|
|
831 | ) | |
|
|
832 | ||
|
|
833 | 754 | return None |
|
|
834 | 755 | |
|
|
835 | 756 | |
General Comments 0
You need to be logged in to leave comments.
Login now