From patchwork Wed Oct 19 16:07:14 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [STABLE] sslutil: guard against broken certifi installations
 (issue5406)
From: =?utf-8?q?G=C3=A1bor_Stefanik?= <gabor.stefanik@nng.com>
X-Patchwork-Id: 17177
Message-Id: <77e20e2892a869717db6.1476893234@waste.org>
To: mercurial-devel@mercurial-scm.org
Date: Wed, 19 Oct 2016 11:07:14 -0500

# HG changeset patch
# User Gábor Stefanik <gabor.stefanik@nng.com>
# Date 1476893174 -7200
#      Wed Oct 19 18:06:14 2016 +0200
# Branch stable
# Node ID 77e20e2892a869717db636f56ab1b9664fc8b285
# Parent  e478f11e418288b8308457303d3ddf6a23f874f8
sslutil: guard against broken certifi installations (issue5406)

Certifi is currently incompatible with py2exe; the Python code for certifi gets
included in library.zip, but not the cacert.pem file - and even if it were
included, SSLContext can't load a cacert.pem file from library.zip.
This currently makes it impossible to build a standalone Windows version of
Mercurial.

Guard against this, and possibly other situations where a module with the name
"certifi" exists, but is not usable.

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -695,9 +695,10 @@
     try:
         import certifi
         certs = certifi.where()
-        ui.debug('using ca certificates from certifi\n')
-        return certs
-    except ImportError:
+        if os.path.exists(certs):
+            ui.debug('using ca certificates from certifi\n')
+            return certs
+    except:
         pass
 
     # On Windows, only the modern ssl module is capable of loading the system