Patchwork [2,of,4,V2] sslutil: document the Apple OpenSSL cert trick

login
register
mail settings
Submitter Gregory Szorc
Date July 4, 2016, 5:04 p.m.
Message ID <5502ac4d0b7380e1f666.1467651878@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/15739/
State Accepted
Headers show

Comments

Gregory Szorc - July 4, 2016, 5:04 p.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1467651656 25200
#      Mon Jul 04 10:00:56 2016 -0700
# Node ID 5502ac4d0b7380e1f666a3a5a6cc5f4319c4ed73
# Parent  21168a74003cc690f9a2ef7059e382996965247d
sslutil: document the Apple OpenSSL cert trick

This is sort of documented in _plainapplypython()'s docstring. But
it helps to be explicit in security code.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -437,16 +437,19 @@  def _defaultcacerts(ui):
     try:
         import certifi
         certs = certifi.where()
         ui.debug('using ca certificates from certifi\n')
         return certs
     except ImportError:
         pass
 
+    # Apple's OpenSSL has patches that allow a specially constructed certificate
+    # to load the system CA store. If we're running on Apple Python, use this
+    # trick.
     if _plainapplepython():
         dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
         if os.path.exists(dummycert):
             return dummycert
 
     return None
 
 def validatesocket(sock):