Most hosting services are third-party systems that will be served with

valid, secure SSL certificates. A few (such as rb-gateway, gerrit, or

GitLab) are run locally, and therefore may be deployed using self-signed

certificates. Until a couple years ago, this wasn't a problem, because

Python's urllib2 implementation didn't actually check SSL certificates

for validity. As of 2.7.9, it does.
We had some infrastructure in place for accepting invalid or self-signed

certificates, but it was only implemented for SCMTools, and even then

only for SVN and Perforce. Accepting certificates for services that were

connected to via urllib2, and especially services that go through a

HostingService, was not implemented.
This change does that. We now check for SSL-related errors when

attempting to authorize the account. In that case, we'll fetch and

decode the certificate, and show the "I trust this host" prompt to the

user. If the user accepts, we'll store the certificate in the

HostingServiceAccount's data field. Future attempts to use that

account will then add that certificate to the validation change (and

disable hostname checking, since self-signed certificates often are not

pinned to the correct hostname).

Set up rb-gateway using a self-signed certificate (along with a pending

change to enable SSL in rb-gateway) and attempted to connect it. Saw

the SSL certificate prompt, and selected "I trust this host". The

repository entry was saved, and the HostingServiceAccount.data field

contained the SSL certificate. Did some operations against the new

repository and saw that they completed successfully.