From a77054f90fd3947db03838d3f244ee802c388314 Mon Sep 17 00:00:00 2001
From: Cory Benfield <lukasaoz@gmail.com>
Date: Thu, 4 Sep 2014 19:40:15 +0100
Subject: [PATCH 1/2] Remove hard certifi dependency and document.

---
 docs/user/advanced.rst | 17 +++++++++++++++++
 setup.py               |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/docs/user/advanced.rst b/docs/user/advanced.rst
index 0de6b1b1..d14b3555 100644
--- a/docs/user/advanced.rst
+++ b/docs/user/advanced.rst
@@ -741,3 +741,20 @@ coffee.
     r = requests.get('https://github.com', timeout=None)
 
 .. _`connect()`: http://linux.die.net/man/2/connect
+
+CA Certificates
+---------------
+
+By default Requests bundles a set of root CAs that it trusts, sourced from the
+Mozilla trust store. However, these are only updated once for each Requests
+version. This means that if you pin a Requests version your certificates can
+become extremely out of date.
+
+From Requests version 2.4.0 onwards, Requests will attempt to use certificates
+from `certifi`_ if it is present on the system. This allows for users to update
+their trusted certificates without having to change the code that runs on their
+system.
+
+For the sake of security we recommend upgrading certifi frequently!
+
+.. _certifi: http://certifi.io/
diff --git a/setup.py b/setup.py
index 9540a47c..b790ec71 100755
--- a/setup.py
+++ b/setup.py
@@ -25,7 +25,7 @@ packages = [
     'requests.packages.urllib3.packages.ssl_match_hostname',
 ]
 
-requires = ['certifi']
+requires = []
 
 with open('README.rst') as f:
     readme = f.read()

From 9c6ae1dc0b6ade1dec2e8c3d5dcd8ef98398cb91 Mon Sep 17 00:00:00 2001
From: Cory Benfield <lukasaoz@gmail.com>
Date: Thu, 4 Sep 2014 19:44:37 +0100
Subject: [PATCH 2/2] Link to Mozilla trust store.

---
 docs/user/advanced.rst | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/user/advanced.rst b/docs/user/advanced.rst
index d14b3555..df653d08 100644
--- a/docs/user/advanced.rst
+++ b/docs/user/advanced.rst
@@ -746,7 +746,7 @@ CA Certificates
 ---------------
 
 By default Requests bundles a set of root CAs that it trusts, sourced from the
-Mozilla trust store. However, these are only updated once for each Requests
+`Mozilla trust store`_. However, these are only updated once for each Requests
 version. This means that if you pin a Requests version your certificates can
 become extremely out of date.
 
@@ -758,3 +758,4 @@ system.
 For the sake of security we recommend upgrading certifi frequently!
 
 .. _certifi: http://certifi.io/
+.. _Mozilla trust store: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt