From 0c14e84c827b280b7767440b01904b083e2e422d Mon Sep 17 00:00:00 2001
From: Tomas Hoger <thoger@redhat.com>
Date: Thu, 26 Nov 2015 22:31:46 +0100
Subject: [PATCH] Support SSL_CERT_FILE and SSL_CERT_DIR env vars

Python PEP 476 (Enabling certificate verification by default for stdlib http
clients) recommends the use of SSL_CERT_FILE and SSL_CERT_DIR environment
variables to point the OpenSSL library used by Python to use specific
non-default bundle of trusted CA certificates.

https://www.python.org/dev/peps/pep-0476/#trust-database

These variables could not have been used to point scripts using requests to a
different CA bundle.  A different variable, REQUESTS_CA_BUNDLE, is read by
requests.  CURL_CA_BUNDLE is also used for compatibility with cURL.

This commit makes requests also look at SSL_CERT_FILE and SSL_CERT_DIR.  They
are handled as equivalent to REQUESTS_CA_BUNDLE.  As REQUESTS_CA_BUNDLE can
point to either certificate file or certificate directory, SSL_CERT_* can also
point to a file or directory.  There's no attempt to ensure SSL_CERT_FILE can
only point to a file and SSL_CERT_DIR to a directory.  This is similar to how
CURL_CA_BUNDLE is handled - requests allows it to specify certificate
directory, while cURL only allows it to specify certificate file.

Fixes requests issue #2899:

https://github.com/kennethreitz/requests/issues/2899
---
 requests/sessions.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/requests/sessions.py b/requests/sessions.py
index 12879a5b..2eac9fef 100644
--- a/requests/sessions.py
+++ b/requests/sessions.py
@@ -618,11 +618,13 @@ class Session(SessionRedirectMixin):
             for (k, v) in env_proxies.items():
                 proxies.setdefault(k, v)
 
-            # Look for requests environment configuration and be compatible
-            # with cURL.
+            # Look for requests CA_BUNDLE configuration in the environment. Be
+            # compatible with cURL and PEP 476 / OpenSSL.
             if verify is True or verify is None:
                 verify = (os.environ.get('REQUESTS_CA_BUNDLE') or
-                          os.environ.get('CURL_CA_BUNDLE'))
+                          os.environ.get('CURL_CA_BUNDLE') or
+                          os.environ.get('SSL_CERT_FILE') or
+                          os.environ.get('SSL_CERT_DIR'))
 
         # Merge all the kwargs.
         proxies = merge_setting(proxies, self.proxies)