Mercurial Mercurial > mercurial / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sslutil: handle default CA certificate loading on Windows
authorGregory Szorc <gregory.szorc@gmail.com>
Mon, 04 Jul 2016 10:04:11 -0700
changeset 29489 54ad81b0665f
parent 29488 1c26b9ce66f8
child 29490 b4d117cee636
sslutil: handle default CA certificate loading on Windows See the inline comment for what's going on here. There is magic built into the "ssl" module that ships with modern CPython that knows how to load the system CA certificates on Windows. Since we're not shipping a CA bundle with Mercurial, if we're running on legacy CPython there's nothing we can do to load CAs on Windows, so it makes sense to print a warning. I don't anticipate many people will see this warning because the official (presumed popular) Mercurial distributions on Windows bundle Python and should be distributing a modern Python capable of loading system CA certs.
mercurial/sslutil.py file | annotate | diff | comparison | revisions
tests/test-https.t file | annotate | diff | comparison | revisions 
--- a/mercurial/sslutil.py	Thu Jun 30 19:54:12 2016 -0700
+++ b/mercurial/sslutil.py	Mon Jul 04 10:04:11 2016 -0700
@@ -447,6 +447,19 @@
     except ImportError:
         pass
 
+    # On Windows, only the modern ssl module is capable of loading the system
+    # CA certificates. If we're not capable of doing that, emit a warning
+    # because we'll get a certificate verification error later and the lack
+    # of loaded CA certificates will be the reason why.
+    # Assertion: this code is only called if certificates are being verified.
+    if os.name == 'nt':
+        if not _canloaddefaultcerts:
+            ui.warn(_('(unable to load Windows CA certificates; see '
+                      'https://mercurial-scm.org/wiki/SecureConnections for '
+                      'how to configure Mercurial to avoid this message)\n'))
+
+        return None
+
     # Apple's OpenSSL has patches that allow a specially constructed certificate
     # to load the system CA store. If we're running on Apple Python, use this
     # trick.
--- a/tests/test-https.t	Thu Jun 30 19:54:12 2016 -0700
+++ b/tests/test-https.t	Mon Jul 04 10:04:11 2016 -0700
@@ -60,6 +60,13 @@
   [255]
 #endif
 
+#if no-sslcontext windows
+  $ hg clone https://localhost:$HGPORT/ copy-pull
+  (unable to load Windows CA certificates; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this message)
+  abort: error: *certificate verify failed* (glob)
+  [255]
+#endif
+
 #if defaultcacertsloaded
   $ hg clone https://localhost:$HGPORT/ copy-pull
   abort: error: *certificate verify failed* (glob)
mercurial