File mercurial-2.8-ssl.diff of Package mercurial.5472

diff -uprN mercurial-2.8.orig/mercurial/sslutil.py mercurial-2.8/mercurial/sslutil.py
--- mercurial-2.8.orig/mercurial/sslutil.py	2013-11-24 11:43:21.326826414 +0100
+++ mercurial-2.8/mercurial/sslutil.py	2013-11-24 11:45:24.960654510 +0100
@@ -89,7 +89,6 @@ def _verifycert(cert, hostname):
 # busted on those versions.
 
 def sslkwargs(ui, host):
-    cacerts = ui.config('web', 'cacerts')
     forcetls = ui.configbool('ui', 'tls', default=True)
     if forcetls:
         ssl_version = PROTOCOL_TLSv1
@@ -98,10 +97,14 @@ def sslkwargs(ui, host):
     hostfingerprint = ui.config('hostfingerprints', host)
     kws = {'ssl_version': ssl_version,
            }
-    if cacerts and not hostfingerprint:
-        cacerts = util.expandpath(cacerts)
-        if not os.path.exists(cacerts):
-            raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
+    if not hostfingerprint:
+        cacerts = ui.config('web', 'cacerts')
+	# cacerts explicitly set to empty string means to disable
+	# checking. See insecure option in dispatch.py
+	if cacerts is not None and cacerts != '':
+	    cacerts = util.expandpath(cacerts)
+	    if not os.path.exists(cacerts):
+	        raise util.Abort(_('could not find web.cacerts: %s') % cacerts)
         kws.update({'ca_certs': cacerts,
                     'cert_reqs': CERT_REQUIRED,
                     })
@@ -150,7 +153,7 @@ class validator(object):
                                  hint=_('check hostfingerprint configuration'))
             self.ui.debug('%s certificate matched fingerprint %s\n' %
                           (host, nicefingerprint))
-        elif cacerts:
+        elif cacerts is None or cacerts != '':
             msg = _verifycert(peercert2, host)
             if msg:
                 raise util.Abort(_('%s certificate error: %s') % (host, msg),