packaging/python-2.7.3-ssl_ca_path.patch

   1 Index: Modules/_ssl.c
   2 ===================================================================
   3 --- Modules/_ssl.c.orig
   4 +++ Modules/_ssl.c
   5 @@ -271,6 +271,7 @@ newPySSLObject(PySocketSockObject *Sock,
   6      char *errstr = NULL;
   7      int ret;
   8      int verification_mode;
   9 +    struct stat stat_buf;
  10
  11      self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
  12      if (self == NULL)
  13 @@ -331,11 +332,23 @@ newPySSLObject(PySocketSockObject *Sock,
  14                              "verification of other-side certificates.");
  15              goto fail;
  16          } else {
  17 -            PySSL_BEGIN_ALLOW_THREADS
  18 -            ret = SSL_CTX_load_verify_locations(self->ctx,
  19 -                                                cacerts_file,
  20 -                                                NULL);
  21 -            PySSL_END_ALLOW_THREADS
  22 +            /* If cacerts_file is a directory-based cert store, pass it as the
  23 +               third parameter, CApath, instead
  24 +            */
  25 +            if (stat(cacerts_file, &stat_buf) == 0 && S_ISDIR(stat_buf.st_mode)) {
  26 +                PySSL_BEGIN_ALLOW_THREADS
  27 +                ret = SSL_CTX_load_verify_locations(self->ctx,
  28 +                                                    NULL,
  29 +                                                    cacerts_file);
  30 +                PySSL_END_ALLOW_THREADS
  31 +            } else {
  32 +                PySSL_BEGIN_ALLOW_THREADS
  33 +                ret = SSL_CTX_load_verify_locations(self->ctx,
  34 +                                                    cacerts_file,
  35 +                                                    NULL);
  36 +                PySSL_END_ALLOW_THREADS
  37 +            }
  38 +
  39              if (ret != 1) {
  40                  _setSSLError(NULL, 0, __FILE__, __LINE__);
  41                  goto fail;