Index: Python-2.7.7/Modules/_ssl.c =================================================================== --- Python-2.7.7.orig/Modules/_ssl.c 2014-06-20 14:34:28.157656595 +0200 +++ Python-2.7.7/Modules/_ssl.c 2014-06-20 14:35:20.092929774 +0200 @@ -273,6 +273,7 @@ char *errstr = NULL; int ret; int verification_mode; + struct stat stat_buf; long options; self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */ @@ -331,20 +332,32 @@ if (certreq != PY_SSL_CERT_NONE) { if (cacerts_file == NULL) { - errstr = ERRSTR("No root certificates specified for " - "verification of other-side certificates."); - goto fail; - } else { PySSL_BEGIN_ALLOW_THREADS - ret = SSL_CTX_load_verify_locations(self->ctx, - cacerts_file, - NULL); + ret = SSL_CTX_set_default_verify_paths(self->ctx); PySSL_END_ALLOW_THREADS - if (ret != 1) { - _setSSLError(NULL, 0, __FILE__, __LINE__); - goto fail; + } else { + /* If cacerts_file is a directory-based cert store, pass it as the + third parameter, CApath, instead + */ + if (stat(cacerts_file, &stat_buf) == 0 && S_ISDIR(stat_buf.st_mode)) { + PySSL_BEGIN_ALLOW_THREADS + ret = SSL_CTX_load_verify_locations(self->ctx, + NULL, + cacerts_file); + PySSL_END_ALLOW_THREADS + } else { + PySSL_BEGIN_ALLOW_THREADS + ret = SSL_CTX_load_verify_locations(self->ctx, + cacerts_file, + NULL); + PySSL_END_ALLOW_THREADS } } + + if (ret != 1) { + _setSSLError(NULL, 0, __FILE__, __LINE__); + goto fail; + } } if (key_file) { PySSL_BEGIN_ALLOW_THREADS