Comments
Patch
@@ -256,28 +256,36 @@ def sslkwargs(ui, host):
raise error.Abort(_('could not find web.cacerts: %s') % cacerts)
kws.update({'ca_certs': cacerts,
'cert_reqs': ssl.CERT_REQUIRED})
return kws
# No CAs in config. See if we can load defaults.
cacerts = _defaultcacerts()
+
+ # We found an alternate CA bundle to use. Load it.
if cacerts:
ui.debug('using %s to enable OS X system CA\n' % cacerts)
- else:
- if not _canloaddefaultcerts:
- cacerts = '!'
+ ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
+ kws.update({'ca_certs': cacerts,
+ 'cert_reqs': ssl.CERT_REQUIRED})
+ return kws
- ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
+ # FUTURE this can disappear once wrapsocket() is secure by default.
+ if _canloaddefaultcerts:
+ kws['cert_reqs'] = ssl.CERT_REQUIRED
+ return kws
- if cacerts != '!':
- kws.update({'ca_certs': cacerts,
- 'cert_reqs': ssl.CERT_REQUIRED,
- })
+ # This is effectively indicating that no CAs can be loaded because
+ # we can't get here if web.cacerts is set or if we can find
+ # CA certs elsewhere. Using a config option (which is later
+ # consulted by validator.__call__ is not very obvious).
+ # FUTURE fix this
+ ui.setconfig('web', 'cacerts', '!', 'defaultcacerts')
return kws
class validator(object):
def __init__(self, ui, host):
self.ui = ui
self.host = host
def __call__(self, sock, strict=False):