Comments
Patch
@@ -413,16 +413,35 @@ def has_sslcontext():
except (ImportError, AttributeError):
return False
@check("defaultcacerts", "can verify SSL certs by system's CA certs store")
def has_defaultcacerts():
from mercurial import sslutil
return sslutil._defaultcacerts() or sslutil._canloaddefaultcerts
+@check("defaultcacertsloaded", "detected presence of loaded system CA certs")
+def has_defaultcacertsloaded():
+ import ssl
+ from mercurial import sslutil
+
+ if not has_defaultcacerts():
+ return False
+ if not has_sslcontext():
+ return False
+
+ cafile = sslutil._defaultcacerts()
+ ctx = ssl.create_default_context()
+ if cafile:
+ ctx.load_verify_locations(cafile=cafile)
+ else:
+ ctx.load_default_certs()
+
+ return len(ctx.get_ca_certs()) > 0
+
@check("windows", "Windows")
def has_windows():
return os.name == 'nt'
@check("system-sh", "system() uses sh")
def has_system_sh():
return os.name != 'nt'
@@ -42,22 +42,36 @@ Test server address cannot be reused
abort: cannot start server at ':$HGPORT': Address already in use
[255]
#endif
$ cd ..
Our test cert is not signed by a trusted CA. It should fail to verify if
we are able to load CA certs.
-#if defaultcacerts
+#if sslcontext defaultcacerts no-defaultcacertsloaded
$ hg clone https://localhost:$HGPORT/ copy-pull
(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
abort: error: *certificate verify failed* (glob)
[255]
-#else
+#endif
+
+#if no-sslcontext defaultcacerts
+ $ hg clone https://localhost:$HGPORT/ copy-pull
+ abort: error: *certificate verify failed* (glob)
+ [255]
+#endif
+
+#if defaultcacertsloaded
+ $ hg clone https://localhost:$HGPORT/ copy-pull
+ abort: error: *certificate verify failed* (glob)
+ [255]
+#endif
+
+#if no-defaultcacerts
$ hg clone https://localhost:$HGPORT/ copy-pull
abort: localhost certificate error: no certificate received
(set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
[255]
#endif
Specifying a per-host certificate file that doesn't exist will abort
@@ -38,26 +38,55 @@ Utility functions:
$ DISABLECACERTS=
$ try () {
> hg email $DISABLECACERTS -f quux -t foo -c bar -r tip "$@"
> }
Our test cert is not signed by a trusted CA. It should fail to verify if
we are able to load CA certs:
-#if defaultcacerts
+#if sslcontext defaultcacerts no-defaultcacertsloaded
$ try
this patch series consists of 1 patches.
(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error)
(?i)abort: .*?certificate.verify.failed.* (re)
[255]
#endif
+#if no-sslcontext defaultcacerts
+ $ try
+ this patch series consists of 1 patches.
+
+
+ (?i)abort: .*?certificate.verify.failed.* (re)
+ [255]
+#endif
+
+#if defaultcacertsloaded
+ $ try
+ this patch series consists of 1 patches.
+
+
+ (?i)abort: .*?certificate.verify.failed.* (re)
+ [255]
+
+#endif
+
+#if no-defaultcacerts
+ $ try
+ this patch series consists of 1 patches.
+
+
+ abort: localhost certificate error: no certificate received
+ (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
+ [255]
+#endif
+
$ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
Without certificates:
$ try --debug
this patch series consists of 1 patches.