Try to use the OS's CA certificate bundle for SSL verification

diff --git a/AUTHORS.rst b/AUTHORS.rst
index 7cc76d6b2dc381fbc1bba0f625dbb37b6ba2d807..50e7e1b58fd77aae7e1c432164ce01a03fa3b767 100644 (file)
--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@@ -95,3 +95,4 @@ Patches and Suggestions
 - Michael Kelly
 - Michael Newman <newmaniese@gmail.com>
 - Jonty Wareing <jonty@jonty.co.uk>
+- Shivaram Lingamneni

diff --git a/requests/models.py b/requests/models.py
index 26bc518d53ca943468cd622beba4dbed4c5123d0..28beed3c658e2cdf81b612135287ad26736fd55d 100644 (file)
--- a/requests/models.py
+++ b/requests/models.py
@@ -27,7 +27,7 @@ from .exceptions import (
     URLRequired, SSLError, MissingSchema, InvalidSchema, InvalidURL)
 from .utils import (
     get_encoding_from_headers, stream_untransfer, guess_filename, requote_uri,
-    dict_from_string, stream_decode_response_unicode, get_netrc_auth)
+    dict_from_string, stream_decode_response_unicode, get_netrc_auth, CA_BUNDLE_PATH)
 from .compat import (
     urlparse, urlunparse, urljoin, urlsplit, urlencode, str, bytes,
     SimpleCookie, is_py2)
@@ -524,7 +524,7 @@ class Request(object):
                     conn = connectionpool.connection_from_url(url)
             except LocationParseError as e:
                 raise InvalidURL(e)
-                
+
         if url.startswith('https') and self.verify:
 
             cert_loc = None
@@ -537,10 +537,14 @@ class Request(object):
             if not cert_loc and self.config.get('trust_env'):
                 cert_loc = os.environ.get('REQUESTS_CA_BUNDLE')
 
-            # Curl compatiblity.
+            # Curl compatibility.
             if not cert_loc and self.config.get('trust_env'):
                 cert_loc = os.environ.get('CURL_CA_BUNDLE')
 
+            # Use the operating system's bundle, if it can be found.
+            if not cert_loc:
+                cert_loc = CA_BUNDLE_PATH
+
             # Use the awesome certifi list.
             if not cert_loc:
                 cert_loc = __import__('certifi').where()

diff --git a/requests/utils.py b/requests/utils.py
index ab6672f9e05b7a1b7cd40f67db5d9f12b41f4f16..0ebcf60b40987fdd771804cf821fe11ef8b595be 100644 (file)
--- a/requests/utils.py
+++ b/requests/utils.py
@@ -24,6 +24,21 @@ from .compat import basestring, bytes, str
 
 NETRC_FILES = ('.netrc', '_netrc')
 
+# common paths for the OS's CA certificate bundle
+POSSIBLE_CA_BUNDLE_PATHS = [
+        # Red Hat, CentOS, Fedora and friends:
+        '/etc/pki/tls/certs/ca-bundle.crt',
+        # Ubuntu and friends:
+        '/etc/ssl/certs/ca-certificates.crt',
+]
+
+def get_ca_bundle_path():
+    """Try to pick an available CA certificate bundle provided by the OS."""
+    for path in POSSIBLE_CA_BUNDLE_PATHS:
+        if os.path.exists(path):
+            return path
+
+CA_BUNDLE_PATH = get_ca_bundle_path()
 
 def dict_to_sequence(d):
     """Returns an internal sequence dictionary update."""