sslutil: update comment about create_default_context()
While ssl.create_default_context() creates a SSLContext with
reasonable default options, we can't use it because it conflicts with
our CA loading controls. So replace the comment with reality.
(FWIW the comment was written before the existing CA loading code
was in place.)
--- a/mercurial/sslutil.py Wed Jul 13 20:41:07 2016 -0700
+++ b/mercurial/sslutil.py Thu Jul 14 19:56:39 2016 -0700
@@ -264,7 +264,13 @@
settings = _hostsettings(ui, serverhostname)
- # TODO use ssl.create_default_context() on modernssl.
+ # We can't use ssl.create_default_context() because it calls
+ # load_default_certs() unless CA arguments are passed to it. We want to
+ # have explicit control over CA loading because implicitly loading
+ # CAs may undermine the user's intent. For example, a user may define a CA
+ # bundle with a specific CA cert removed. If the system/default CA bundle
+ # is loaded and contains that removed CA, you've just undone the user's
+ # choice.
sslcontext = SSLContext(settings['protocol'])
# This is a no-op unless using modern ssl.