##// END OF EJS Templates
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
Mads Kiilerich -
r22575:d7f7f186 default
parent child Browse files
Show More
@@ -0,0 +1,56 b''
1 A dummy certificate that will make OS X 10.6+ Python use the system CA
2 certificate store:
3
4 -----BEGIN CERTIFICATE-----
5 MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn
6 LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX
7 MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
8 mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK
9 CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a
10 IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We
11 aKdQRekuMQ==
12 -----END CERTIFICATE-----
13
14 This certificate was generated to be syntactically valid but never be usable;
15 it expired before it became valid.
16
17 Created as:
18
19 $ cat > cn.conf << EOT
20 > [req]
21 > distinguished_name = req_distinguished_name
22 > [req_distinguished_name]
23 > commonName = Common Name
24 > commonName_default = no.example.com
25 > EOT
26 $ openssl req -nodes -new -x509 -keyout /dev/null \
27 > -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com'
28
29 To verify the content of this certificate:
30
31 $ openssl x509 -in dummycert.pem -noout -text
32 Certificate:
33 Data:
34 Version: 1 (0x0)
35 Serial Number: 15629337334278746470 (0xd8e68f7f6c6f7166)
36 Signature Algorithm: sha1WithRSAEncryption
37 Issuer: CN=hg.example.com
38 Validity
39 Not Before: Aug 30 08:45:59 2014 GMT
40 Not After : Aug 29 08:45:59 2014 GMT
41 Subject: CN=hg.example.com
42 Subject Public Key Info:
43 Public Key Algorithm: rsaEncryption
44 Public-Key: (512 bit)
45 Modulus:
46 00:9a:1f:d9:c9:21:a5:72:ad:00:2c:d2:e6:03:58:
47 19:aa:de:b5:1e:bb:b2:c0:fa:d1:93:a5:b2:ac:b2:
48 51:82:df:97:ec:e3:fd:14:59:44:7e:5d:ad:cc:77:
49 f3:aa:f9:8a:0a:d4:90:a0:f2:0d:58:e7:40:24:c7:
50 a4:05:81:60:29
51 Exponent: 65537 (0x10001)
52 Signature Algorithm: sha1WithRSAEncryption
53 17:d8:78:f4:b9:12:a8:9e:9a:22:5a:68:81:9b:94:1e:d8:a1:
54 5d:e2:99:06:c8:a4:b5:52:03:94:37:1c:62:c3:72:d1:14:a1:
55 f5:7c:54:7e:19:3e:5c:c2:f0:f2:30:65:62:f7:25:b5:25:dd:
56 27:b5:9e:68:a7:50:45:e9:2e:31
@@ -6,7 +6,7 b''
6 #
6 #
7 # This software may be used and distributed according to the terms of the
7 # This software may be used and distributed according to the terms of the
8 # GNU General Public License version 2 or any later version.
8 # GNU General Public License version 2 or any later version.
9 import os
9 import os, sys
10
10
11 from mercurial import util
11 from mercurial import util
12 from mercurial.i18n import _
12 from mercurial.i18n import _
@@ -104,6 +104,13 b' def sslkwargs(ui, host):'
104 cacerts = util.expandpath(cacerts)
104 cacerts = util.expandpath(cacerts)
105 if not os.path.exists(cacerts):
105 if not os.path.exists(cacerts):
106 raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
106 raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
107 elif cacerts is None and sys.platform == 'darwin' and not util.mainfrozen():
108 dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
109 if os.path.exists(dummycert):
110 ui.debug('using %s to enable OS X system CA\n' % dummycert)
111 ui.setconfig('web', 'cacerts', dummycert, 'dummy')
112 cacerts = dummycert
113 if cacerts:
107 kws.update({'ca_certs': cacerts,
114 kws.update({'ca_certs': cacerts,
108 'cert_reqs': CERT_REQUIRED,
115 'cert_reqs': CERT_REQUIRED,
109 })
116 })
@@ -481,7 +481,8 b' class HackedMingw32CCompiler(cygwinccomp'
481 cygwinccompiler.Mingw32CCompiler = HackedMingw32CCompiler
481 cygwinccompiler.Mingw32CCompiler = HackedMingw32CCompiler
482
482
483 packagedata = {'mercurial': ['locale/*/LC_MESSAGES/hg.mo',
483 packagedata = {'mercurial': ['locale/*/LC_MESSAGES/hg.mo',
484 'help/*.txt']}
484 'help/*.txt',
485 'dummycert.pem']}
485
486
486 def ordinarypath(p):
487 def ordinarypath(p):
487 return p and p[0] != '.' and p[-1] != '~'
488 return p and p[0] != '.' and p[-1] != '~'
@@ -332,6 +332,10 b' def has_msys():'
332 def has_aix():
332 def has_aix():
333 return sys.platform.startswith("aix")
333 return sys.platform.startswith("aix")
334
334
335 @check("osx", "OS X")
336 def has_osx():
337 return sys.platform == 'darwin'
338
335 @check("absimport", "absolute_import in __future__")
339 @check("absimport", "absolute_import in __future__")
336 def has_absimport():
340 def has_absimport():
337 import __future__
341 import __future__
@@ -115,9 +115,20 b' Test server address cannot be reused'
115 #endif
115 #endif
116 $ cd ..
116 $ cd ..
117
117
118 OS X has a dummy CA cert that enables use of the system CA store
119
120 $ DISABLEOSXDUMMYCERT=
121 #if osx
122 $ hg clone https://localhost:$HGPORT/ copy-pull
123 abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
124 [255]
125
126 $ DISABLEOSXDUMMYCERT="--config=web.cacerts="
127 #endif
128
118 clone via pull
129 clone via pull
119
130
120 $ hg clone https://localhost:$HGPORT/ copy-pull
131 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLEOSXDUMMYCERT
121 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
132 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
122 requesting all changes
133 requesting all changes
123 adding changesets
134 adding changesets
@@ -143,7 +154,7 b' pull without cacert'
143 $ cd copy-pull
154 $ cd copy-pull
144 $ echo '[hooks]' >> .hg/hgrc
155 $ echo '[hooks]' >> .hg/hgrc
145 $ echo "changegroup = python \"$TESTDIR/printenv.py\" changegroup" >> .hg/hgrc
156 $ echo "changegroup = python \"$TESTDIR/printenv.py\" changegroup" >> .hg/hgrc
146 $ hg pull
157 $ hg pull $DISABLEOSXDUMMYCERT
147 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
158 warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
148 pulling from https://localhost:$HGPORT/
159 pulling from https://localhost:$HGPORT/
149 searching for changes
160 searching for changes
General Comments 0
You need to be logged in to leave comments. Login now