From 99210995463497cf4ee9ec1bee79c5f2bff4e3f8 Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Mon, 16 Apr 2012 12:31:47 -0700
Subject: [PATCH] Try to use the OS's CA certificate bundle for SSL
 verification

---
 AUTHORS.rst        |  1 +
 requests/models.py | 10 +++++++---
 requests/utils.py  | 15 +++++++++++++++
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/AUTHORS.rst b/AUTHORS.rst
index 7cc76d6..50e7e1b 100644
--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@@ -95,3 +95,4 @@ Patches and Suggestions
 - Michael Kelly
 - Michael Newman <newmaniese@gmail.com>
 - Jonty Wareing <jonty@jonty.co.uk>
+- Shivaram Lingamneni
diff --git a/requests/models.py b/requests/models.py
index 26bc518..28beed3 100644
--- a/requests/models.py
+++ b/requests/models.py
@@ -27,7 +27,7 @@ from .exceptions import (
     URLRequired, SSLError, MissingSchema, InvalidSchema, InvalidURL)
 from .utils import (
     get_encoding_from_headers, stream_untransfer, guess_filename, requote_uri,
-    dict_from_string, stream_decode_response_unicode, get_netrc_auth)
+    dict_from_string, stream_decode_response_unicode, get_netrc_auth, CA_BUNDLE_PATH)
 from .compat import (
     urlparse, urlunparse, urljoin, urlsplit, urlencode, str, bytes,
     SimpleCookie, is_py2)
@@ -524,7 +524,7 @@ class Request(object):
                     conn = connectionpool.connection_from_url(url)
             except LocationParseError as e:
                 raise InvalidURL(e)
-                
+
         if url.startswith('https') and self.verify:
 
             cert_loc = None
@@ -537,10 +537,14 @@ class Request(object):
             if not cert_loc and self.config.get('trust_env'):
                 cert_loc = os.environ.get('REQUESTS_CA_BUNDLE')
 
-            # Curl compatiblity.
+            # Curl compatibility.
             if not cert_loc and self.config.get('trust_env'):
                 cert_loc = os.environ.get('CURL_CA_BUNDLE')
 
+            # Use the operating system's bundle, if it can be found.
+            if not cert_loc:
+                cert_loc = CA_BUNDLE_PATH
+
             # Use the awesome certifi list.
             if not cert_loc:
                 cert_loc = __import__('certifi').where()
diff --git a/requests/utils.py b/requests/utils.py
index ab6672f..0ebcf60 100644
--- a/requests/utils.py
+++ b/requests/utils.py
@@ -24,6 +24,21 @@ from .compat import basestring, bytes, str
 
 NETRC_FILES = ('.netrc', '_netrc')
 
+# common paths for the OS's CA certificate bundle
+POSSIBLE_CA_BUNDLE_PATHS = [
+        # Red Hat, CentOS, Fedora and friends:
+        '/etc/pki/tls/certs/ca-bundle.crt',
+        # Ubuntu and friends:
+        '/etc/ssl/certs/ca-certificates.crt',
+]
+
+def get_ca_bundle_path():
+    """Try to pick an available CA certificate bundle provided by the OS."""
+    for path in POSSIBLE_CA_BUNDLE_PATHS:
+        if os.path.exists(path):
+            return path
+
+CA_BUNDLE_PATH = get_ca_bundle_path()
 
 def dict_to_sequence(d):
     """Returns an internal sequence dictionary update."""
-- 
2.34.1