Submitter | Gregory Szorc |
---|---|
Date | July 2, 2016, 2:57 a.m. |
Message ID | <17d67895b215c5c977d2.1467428262@ubuntu-vm-main> |
Download | mbox | patch |
Permalink | /patch/15721/ |
State | Superseded |
Delegated to: | Yuya Nishihara |
Headers | show |
Comments
On Fri, 01 Jul 2016 19:57:42 -0700, Gregory Szorc wrote: > # HG changeset patch > # User Gregory Szorc <gregory.szorc@gmail.com> > # Date 1467427907 25200 > # Fri Jul 01 19:51:47 2016 -0700 > # Node ID 17d67895b215c5c977d2b446611abb219160a6f9 > # Parent 101e040f8b014fe938803c68b502e7b72b4726f8 > sslutil: document the Apple Python cert trick > > This is sort of documented in _plainapplypython()'s docstring. But > it helps to be explicit in security code. > > diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py > --- a/mercurial/sslutil.py > +++ b/mercurial/sslutil.py > @@ -438,16 +438,19 @@ def _defaultcacerts(ui): > with demandimport.deactivated(): > try: > import certifi > ui.debug('using ca certificates from certifi\n') > return certifi.where() > except Exception: > pass > > + # Apple's Python has patches that allow a specially constructed certificate > + # to load the system CA store. If we're running on Apple Python, use this > + # trick. IIRC, Python isn't patched, but OpenSSL is, and Apple Python doesn't provide a sane way to load certificates from the patched OpenSSL. I don't know that makes a difference on OS X, though.
Patch
diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py --- a/mercurial/sslutil.py +++ b/mercurial/sslutil.py @@ -438,16 +438,19 @@ def _defaultcacerts(ui): with demandimport.deactivated(): try: import certifi ui.debug('using ca certificates from certifi\n') return certifi.where() except Exception: pass + # Apple's Python has patches that allow a specially constructed certificate + # to load the system CA store. If we're running on Apple Python, use this + # trick. if _plainapplepython(): dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem') if os.path.exists(dummycert): return dummycert return None def validatesocket(sock):