Patchwork [04,of,11] sslutil: make sslkwargs code even more explicit

login
register
mail settings
Submitter Gregory Szorc
Date May 5, 2016, 7:53 a.m.
Message ID <6ed24e176bfd6cd4590a.1462434801@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/14896/
State Accepted
Headers show

Comments

Gregory Szorc - May 5, 2016, 7:53 a.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1462433563 25200
#      Thu May 05 00:32:43 2016 -0700
# Node ID 6ed24e176bfd6cd4590a3c3dfadefdf5f7dd747a
# Parent  2864851cadedd9fb960368d408ce6fce039c78a8
sslutil: make sslkwargs code even more explicit

The ways in which this code can interact with socket wrapping
and validation later are mind numbing. This patch helps make it
even more clear.

The end behavior should be identical.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -256,28 +256,36 @@  def sslkwargs(ui, host):
             raise error.Abort(_('could not find web.cacerts: %s') % cacerts)
 
         kws.update({'ca_certs': cacerts,
                     'cert_reqs': ssl.CERT_REQUIRED})
         return kws
 
     # No CAs in config. See if we can load defaults.
     cacerts = _defaultcacerts()
+
+    # We found an alternate CA bundle to use. Load it.
     if cacerts:
         ui.debug('using %s to enable OS X system CA\n' % cacerts)
-    else:
-        if not _canloaddefaultcerts:
-            cacerts = '!'
+        ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
+        kws.update({'ca_certs': cacerts,
+                    'cert_reqs': ssl.CERT_REQUIRED})
+        return kws
 
-    ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
+    # FUTURE this can disappear once wrapsocket() is secure by default.
+    if _canloaddefaultcerts:
+        kws['cert_reqs'] = ssl.CERT_REQUIRED
+        return kws
 
-    if cacerts != '!':
-        kws.update({'ca_certs': cacerts,
-                    'cert_reqs': ssl.CERT_REQUIRED,
-                    })
+    # This is effectively indicating that no CAs can be loaded because
+    # we can't get here if web.cacerts is set or if we can find
+    # CA certs elsewhere. Using a config option (which is later
+    # consulted by validator.__call__ is not very obvious).
+    # FUTURE fix this
+    ui.setconfig('web', 'cacerts', '!', 'defaultcacerts')
     return kws
 
 class validator(object):
     def __init__(self, ui, host):
         self.ui = ui
         self.host = host
 
     def __call__(self, sock, strict=False):