Try to use the OS's CA certificate bundle for SSL verification

2026-06-05 22:50:18 +00:00 · 2012-04-16 12:31:47 -07:00
parent 2f6b5feb1a
commit 9921099546
3 changed files with 23 additions and 3 deletions
@@ -95,3 +95,4 @@ Patches and Suggestions
 - Michael Kelly
 - Michael Newman <newmaniese@gmail.com>
 - Jonty Wareing <jonty@jonty.co.uk>
+- Shivaram Lingamneni
@@ -27,7 +27,7 @@ from .exceptions import (
    URLRequired, SSLError, MissingSchema, InvalidSchema, InvalidURL)
 from .utils import (
    get_encoding_from_headers, stream_untransfer, guess_filename, requote_uri,
-    dict_from_string, stream_decode_response_unicode, get_netrc_auth)
+    dict_from_string, stream_decode_response_unicode, get_netrc_auth, CA_BUNDLE_PATH)
 from .compat import (
    urlparse, urlunparse, urljoin, urlsplit, urlencode, str, bytes,
    SimpleCookie, is_py2)
@@ -524,7 +524,7 @@ class Request(object):
                    conn = connectionpool.connection_from_url(url)
            except LocationParseError as e:
                raise InvalidURL(e)
-                
+
        if url.startswith('https') and self.verify:

            cert_loc = None
@@ -537,10 +537,14 @@ class Request(object):
            if not cert_loc and self.config.get('trust_env'):
                cert_loc = os.environ.get('REQUESTS_CA_BUNDLE')

-            # Curl compatiblity.
+            # Curl compatibility.
            if not cert_loc and self.config.get('trust_env'):
                cert_loc = os.environ.get('CURL_CA_BUNDLE')

+            # Use the operating system's bundle, if it can be found.
+            if not cert_loc:
+                cert_loc = CA_BUNDLE_PATH
+
            # Use the awesome certifi list.
            if not cert_loc:
                cert_loc = __import__('certifi').where()
@@ -24,6 +24,21 @@ from .compat import basestring, bytes, str

 NETRC_FILES = ('.netrc', '_netrc')

+# common paths for the OS's CA certificate bundle
+POSSIBLE_CA_BUNDLE_PATHS = [
+        # Red Hat, CentOS, Fedora and friends:
+        '/etc/pki/tls/certs/ca-bundle.crt',
+        # Ubuntu and friends:
+        '/etc/ssl/certs/ca-certificates.crt',
+]
+
+def get_ca_bundle_path():
+    """Try to pick an available CA certificate bundle provided by the OS."""
+    for path in POSSIBLE_CA_BUNDLE_PATHS:
+        if os.path.exists(path):
+            return path
+
+CA_BUNDLE_PATH = get_ca_bundle_path()

 def dict_to_sequence(d):
    """Returns an internal sequence dictionary update."""