sslutil: don't load default certificates when they aren't relevant
Before, we would call SSLContext.load_default_certs() when
certificate verification wasn't being used. Since
SSLContext.verify_mode == ssl.CERT_NONE, this would ideally
no-op. However, there is a slim chance the loading of system
certs could cause a failure. Furthermore, this behavior
interfered with a future patch that aims to provide a more
helpful error message when we're unable to load CAs.
The lack of test fallout is hopefully a sign that our
security code and tests are in a relatively good state.
--- a/mercurial/sslutil.py Wed Jun 29 19:37:38 2016 -0700
+++ b/mercurial/sslutil.py Wed Jun 29 19:38:24 2016 -0700
@@ -154,11 +154,13 @@
# matters. No need to validate CA certs.
if s['certfingerprints']:
s['verifymode'] = ssl.CERT_NONE
+ s['allowloaddefaultcerts'] = False
# If --insecure is used, don't take CAs into consideration.
elif ui.insecureconnections:
s['disablecertverification'] = True
s['verifymode'] = ssl.CERT_NONE
+ s['allowloaddefaultcerts'] = False
if ui.configbool('devel', 'disableloaddefaultcerts'):
s['allowloaddefaultcerts'] = False