python-2.7.3-ssl_ca_path

===================================================================

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 752b033e75eb782eddfdc995ed017b58b43a88ee..c94309ead33493957b16216a3e627751656687b0 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -274,6 +274,7 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
     int ret;
     int verification_mode;
     long options;
+    struct stat stat_buf;
 
     self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
     if (self == NULL)
@@ -335,11 +336,23 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
                             "verification of other-side certificates.");
             goto fail;
         } else {
-            PySSL_BEGIN_ALLOW_THREADS
-            ret = SSL_CTX_load_verify_locations(self->ctx,
-                                                cacerts_file,
-                                                NULL);
-            PySSL_END_ALLOW_THREADS
+            /* If cacerts_file is a directory-based cert store, pass it as the
+               third parameter, CApath, instead
+            */
+            if (stat(cacerts_file, &stat_buf) == 0 && S_ISDIR(stat_buf.st_mode)) {
+                PySSL_BEGIN_ALLOW_THREADS
+                ret = SSL_CTX_load_verify_locations(self->ctx,
+                                                    NULL,
+                                                    cacerts_file);
+                PySSL_END_ALLOW_THREADS
+            } else {
+                PySSL_BEGIN_ALLOW_THREADS
+                ret = SSL_CTX_load_verify_locations(self->ctx,
+                                                    cacerts_file,
+                                                    NULL);
+                PySSL_END_ALLOW_THREADS
+            }
+
             if (ret != 1) {
                 _setSSLError(NULL, 0, __FILE__, __LINE__);
                 goto fail;