Patchwork [8,of,8] sslutil: handle default CA certificate loading on Windows

login
register
mail settings
Submitter Gregory Szorc
Date July 2, 2016, 2:57 a.m.
Message ID <9e53d27955ec6f2fa87c.1467428264@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/15723/
State Superseded
Delegated to: Yuya Nishihara
Headers show

Comments

Gregory Szorc - July 2, 2016, 2:57 a.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1467428156 25200
#      Fri Jul 01 19:55:56 2016 -0700
# Node ID 9e53d27955ec6f2fa87ce7c3200b0f119da4d88d
# Parent  d3ae9cd26627123efd30a2e71d87eebf05b6f63c
sslutil: handle default CA certificate loading on Windows

See the inline comment for what's going on here.

There is magic built into the "ssl" module that ships with modern
CPython that knows how to load the system CA certificates on
Windows. Since we're not shipping a CA bundle with Mercurial,
if we're running on legacy CPython there's nothing we can do
to load CAs on Windows, so it makes sense to print a warning.

I don't anticipate many people will see this warning because
the official (presumed popular) Mercurial distributions on
Windows bundle Python and should be distributing a modern Python
capable of loading system CA certs.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -443,16 +443,28 @@  def _defaultcacerts(ui):
     with demandimport.deactivated():
         try:
             import certifi
             ui.debug('using ca certificates from certifi\n')
             return certifi.where()
         except Exception:
             pass
 
+    # On Windows, only the modern ssl module is capable of loading the system
+    # CA certificates. If we're not capable of doing that, emit a warning
+    # because we'll get a certificate verification error later and the lack
+    # of loaded CA certificates will be the reason why.
+    if os.name == 'nt':
+        if not _canloaddefaultcerts:
+            ui.warn(_('(unable to load Windows CA certificates; see '
+                      'https://mercurial-scm.org/wiki/SecureConnections for '
+                      'how to configure Mercurial to avoid this message)\n'))
+
+        return None
+
     # Apple's Python has patches that allow a specially constructed certificate
     # to load the system CA store. If we're running on Apple Python, use this
     # trick.
     if _plainapplepython():
         dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
         if os.path.exists(dummycert):
             return dummycert
 
diff --git a/tests/test-https.t b/tests/test-https.t
--- a/tests/test-https.t
+++ b/tests/test-https.t
@@ -55,16 +55,23 @@  we are able to load CA certs.
 #endif
 
 #if no-sslcontext defaultcacerts
   $ hg clone https://localhost:$HGPORT/ copy-pull
   abort: error: *certificate verify failed* (glob)
   [255]
 #endif
 
+#if no-sslcontext windows
+  $ hg clone https://localhost:$HGPORT/ copy-pull
+  (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
+  abort: error: *certificate verify failed* (glob)
+  [255]
+#endif
+
 #if defaultcacertsloaded
   $ hg clone https://localhost:$HGPORT/ copy-pull
   abort: error: *certificate verify failed* (glob)
   [255]
 #endif
 
 #if no-defaultcacerts
   $ hg clone https://localhost:$HGPORT/ copy-pull