Show More
| @@ -52,8 +52,6 if util.safehasattr(ssl, b'PROTOCOL_TLSv | |||||
| 52 | if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'): |
|
52 | if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'): | |
| 53 | supportedprotocols.add(b'tls1.2') |
|
53 | supportedprotocols.add(b'tls1.2') | |
| 54 |
|
54 | |||
| 55 | _canloaddefaultcerts = True |
|
|||
| 56 |
|
||||
| 57 |
|
55 | |||
| 58 | def _hostsettings(ui, hostname): |
|
56 | def _hostsettings(ui, hostname): | |
| 59 | """Obtain security settings for a hostname. |
|
57 | """Obtain security settings for a hostname. | |
| @@ -227,7 +225,7 def _hostsettings(ui, hostname): | |||||
| 227 |
|
225 | |||
| 228 | # Require certificate validation if CA certs are being loaded and |
|
226 | # Require certificate validation if CA certs are being loaded and | |
| 229 | # verification hasn't been disabled above. |
|
227 | # verification hasn't been disabled above. | |
| 230 |
if cafile or |
|
228 | if cafile or s[b'allowloaddefaultcerts']: | |
| 231 | s[b'verifymode'] = ssl.CERT_REQUIRED |
|
229 | s[b'verifymode'] = ssl.CERT_REQUIRED | |
| 232 | else: |
|
230 | else: | |
| 233 | # At this point we don't have a fingerprint, aren't being |
|
231 | # At this point we don't have a fingerprint, aren't being | |
| @@ -721,14 +719,6 def _plainapplepython(): | |||||
| 721 | ) |
|
719 | ) | |
| 722 |
|
720 | |||
| 723 |
|
721 | |||
| 724 | _systemcacertpaths = [ |
|
|||
| 725 | # RHEL, CentOS, and Fedora |
|
|||
| 726 | b'/etc/pki/tls/certs/ca-bundle.trust.crt', |
|
|||
| 727 | # Debian, Ubuntu, Gentoo |
|
|||
| 728 | b'/etc/ssl/certs/ca-certificates.crt', |
|
|||
| 729 | ] |
|
|||
| 730 |
|
||||
| 731 |
|
||||
| 732 | def _defaultcacerts(ui): |
|
722 | def _defaultcacerts(ui): | |
| 733 | """return path to default CA certificates or None. |
|
723 | """return path to default CA certificates or None. | |
| 734 |
|
724 | |||
| @@ -751,23 +741,6 def _defaultcacerts(ui): | |||||
| 751 | except (ImportError, AttributeError): |
|
741 | except (ImportError, AttributeError): | |
| 752 | pass |
|
742 | pass | |
| 753 |
|
743 | |||
| 754 | # On Windows, only the modern ssl module is capable of loading the system |
|
|||
| 755 | # CA certificates. If we're not capable of doing that, emit a warning |
|
|||
| 756 | # because we'll get a certificate verification error later and the lack |
|
|||
| 757 | # of loaded CA certificates will be the reason why. |
|
|||
| 758 | # Assertion: this code is only called if certificates are being verified. |
|
|||
| 759 | if pycompat.iswindows: |
|
|||
| 760 | if not _canloaddefaultcerts: |
|
|||
| 761 | ui.warn( |
|
|||
| 762 | _( |
|
|||
| 763 | b'(unable to load Windows CA certificates; see ' |
|
|||
| 764 | b'https://mercurial-scm.org/wiki/SecureConnections for ' |
|
|||
| 765 | b'how to configure Mercurial to avoid this message)\n' |
|
|||
| 766 | ) |
|
|||
| 767 | ) |
|
|||
| 768 |
|
||||
| 769 | return None |
|
|||
| 770 |
|
||||
| 771 | # Apple's OpenSSL has patches that allow a specially constructed certificate |
|
744 | # Apple's OpenSSL has patches that allow a specially constructed certificate | |
| 772 | # to load the system CA store. If we're running on Apple Python, use this |
|
745 | # to load the system CA store. If we're running on Apple Python, use this | |
| 773 | # trick. |
|
746 | # trick. | |
| @@ -778,58 +751,6 def _defaultcacerts(ui): | |||||
| 778 | if os.path.exists(dummycert): |
|
751 | if os.path.exists(dummycert): | |
| 779 | return dummycert |
|
752 | return dummycert | |
| 780 |
|
753 | |||
| 781 | # The Apple OpenSSL trick isn't available to us. If Python isn't able to |
|
|||
| 782 | # load system certs, we're out of luck. |
|
|||
| 783 | if pycompat.isdarwin: |
|
|||
| 784 | # FUTURE Consider looking for Homebrew or MacPorts installed certs |
|
|||
| 785 | # files. Also consider exporting the keychain certs to a file during |
|
|||
| 786 | # Mercurial install. |
|
|||
| 787 | if not _canloaddefaultcerts: |
|
|||
| 788 | ui.warn( |
|
|||
| 789 | _( |
|
|||
| 790 | b'(unable to load CA certificates; see ' |
|
|||
| 791 | b'https://mercurial-scm.org/wiki/SecureConnections for ' |
|
|||
| 792 | b'how to configure Mercurial to avoid this message)\n' |
|
|||
| 793 | ) |
|
|||
| 794 | ) |
|
|||
| 795 | return None |
|
|||
| 796 |
|
||||
| 797 | # / is writable on Windows. Out of an abundance of caution make sure |
|
|||
| 798 | # we're not on Windows because paths from _systemcacerts could be installed |
|
|||
| 799 | # by non-admin users. |
|
|||
| 800 | assert not pycompat.iswindows |
|
|||
| 801 |
|
||||
| 802 | # Try to find CA certificates in well-known locations. We print a warning |
|
|||
| 803 | # when using a found file because we don't want too much silent magic |
|
|||
| 804 | # for security settings. The expectation is that proper Mercurial |
|
|||
| 805 | # installs will have the CA certs path defined at install time and the |
|
|||
| 806 | # installer/packager will make an appropriate decision on the user's |
|
|||
| 807 | # behalf. We only get here and perform this setting as a feature of |
|
|||
| 808 | # last resort. |
|
|||
| 809 | if not _canloaddefaultcerts: |
|
|||
| 810 | for path in _systemcacertpaths: |
|
|||
| 811 | if os.path.isfile(path): |
|
|||
| 812 | ui.warn( |
|
|||
| 813 | _( |
|
|||
| 814 | b'(using CA certificates from %s; if you see this ' |
|
|||
| 815 | b'message, your Mercurial install is not properly ' |
|
|||
| 816 | b'configured; see ' |
|
|||
| 817 | b'https://mercurial-scm.org/wiki/SecureConnections ' |
|
|||
| 818 | b'for how to configure Mercurial to avoid this ' |
|
|||
| 819 | b'message)\n' |
|
|||
| 820 | ) |
|
|||
| 821 | % path |
|
|||
| 822 | ) |
|
|||
| 823 | return path |
|
|||
| 824 |
|
||||
| 825 | ui.warn( |
|
|||
| 826 | _( |
|
|||
| 827 | b'(unable to load CA certificates; see ' |
|
|||
| 828 | b'https://mercurial-scm.org/wiki/SecureConnections for ' |
|
|||
| 829 | b'how to configure Mercurial to avoid this message)\n' |
|
|||
| 830 | ) |
|
|||
| 831 | ) |
|
|||
| 832 |
|
||||
| 833 | return None |
|
754 | return None | |
| 834 |
|
755 | |||
| 835 |
|
756 | |||
General Comments 0
You need to be logged in to leave comments.
Login now