[PATCH 5 of 8] sslutil: use certificates provided by certifi if available
Yuya Nishihara
yuya at tcha.org
Sun Jul 3 10:26:03 UTC 2016
On Fri, 01 Jul 2016 19:57:41 -0700, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc at gmail.com>
> # Date 1467340479 25200
> # Thu Jun 30 19:34:39 2016 -0700
> # Node ID 101e040f8b014fe938803c68b502e7b72b4726f8
> # Parent ab3d545871efb2e0405d576f3bda1c935d6b6d31
> sslutil: use certificates provided by certifi if available
>
> The "certifi" Python package provides a distribution of the
> Mozilla trusted CA certificates as a Python package. If it is
> present, we assume the user intends it to be used and we use
> it to provide the default CA certificates when certificates
> are otherwise not configured.
>
> It's worth noting that this behavior roughly matches the popular
> "requests" package, which also attempts to use "certifi" if
> present.
>
> diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
> --- a/mercurial/sslutil.py
> +++ b/mercurial/sslutil.py
> @@ -12,16 +12,17 @@ from __future__ import absolute_import
> import hashlib
> import os
> import re
> import ssl
> import sys
>
> from .i18n import _
> from . import (
> + demandimport,
> error,
> util,
> )
>
> # Python 2.7.9+ overhauled the built-in SSL/TLS features of Python. It added
> # support for TLS 1.1, TLS 1.2, SNI, system CA stores, etc. These features are
> # all exposed via the "ssl" module.
> #
> @@ -427,16 +428,26 @@ def _plainapplepython():
> if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
> return False
> exe = os.path.realpath(sys.executable).lower()
> return (exe.startswith('/usr/bin/python') or
> exe.startswith('/system/library/frameworks/python.framework/'))
>
> def _defaultcacerts(ui):
> """return path to default CA certificates or None."""
> + # The "certifi" Python package provides certificates. If it is installed,
> + # assume the user intends it to be used and use it.
> + with demandimport.deactivated():
> + try:
> + import certifi
> + ui.debug('using ca certificates from certifi\n')
> + return certifi.where()
> + except Exception:
> + pass
Any reason to not catch only ImportError?
More information about the Mercurial-devel
mailing list