Patchwork [6,of,8] sslutil: document the Apple Python cert trick

login
register
mail settings
Submitter Gregory Szorc
Date July 2, 2016, 2:57 a.m.
Message ID <17d67895b215c5c977d2.1467428262@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/15721/
State Superseded
Delegated to: Yuya Nishihara
Headers show

Comments

Gregory Szorc - July 2, 2016, 2:57 a.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1467427907 25200
#      Fri Jul 01 19:51:47 2016 -0700
# Node ID 17d67895b215c5c977d2b446611abb219160a6f9
# Parent  101e040f8b014fe938803c68b502e7b72b4726f8
sslutil: document the Apple Python cert trick

This is sort of documented in _plainapplypython()'s docstring. But
it helps to be explicit in security code.
Yuya Nishihara - July 3, 2016, 10:40 a.m.
On Fri, 01 Jul 2016 19:57:42 -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc@gmail.com>
> # Date 1467427907 25200
> #      Fri Jul 01 19:51:47 2016 -0700
> # Node ID 17d67895b215c5c977d2b446611abb219160a6f9
> # Parent  101e040f8b014fe938803c68b502e7b72b4726f8
> sslutil: document the Apple Python cert trick
> 
> This is sort of documented in _plainapplypython()'s docstring. But
> it helps to be explicit in security code.
> 
> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> --- a/mercurial/sslutil.py
> +++ b/mercurial/sslutil.py
> @@ -438,16 +438,19 @@ def _defaultcacerts(ui):
>      with demandimport.deactivated():
>          try:
>              import certifi
>              ui.debug('using ca certificates from certifi\n')
>              return certifi.where()
>          except Exception:
>              pass
>  
> +    # Apple's Python has patches that allow a specially constructed certificate
> +    # to load the system CA store. If we're running on Apple Python, use this
> +    # trick.

IIRC, Python isn't patched, but OpenSSL is, and Apple Python doesn't provide
a sane way to load certificates from the patched OpenSSL. I don't know that
makes a difference on OS X, though.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -438,16 +438,19 @@  def _defaultcacerts(ui):
     with demandimport.deactivated():
         try:
             import certifi
             ui.debug('using ca certificates from certifi\n')
             return certifi.where()
         except Exception:
             pass
 
+    # Apple's Python has patches that allow a specially constructed certificate
+    # to load the system CA store. If we're running on Apple Python, use this
+    # trick.
     if _plainapplepython():
         dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
         if os.path.exists(dummycert):
             return dummycert
 
     return None
 
 def validatesocket(sock):