Index: Python-2.7.5/Modules/_ssl.c =================================================================== --- Python-2.7.5.orig/Modules/_ssl.c +++ Python-2.7.5/Modules/_ssl.c @@ -271,6 +271,7 @@ newPySSLObject(PySocketSockObject *Sock, char *errstr = NULL; int ret; int verification_mode; + struct stat stat_buf; self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */ if (self == NULL) @@ -327,20 +328,32 @@ newPySSLObject(PySocketSockObject *Sock, if (certreq != PY_SSL_CERT_NONE) { if (cacerts_file == NULL) { - errstr = ERRSTR("No root certificates specified for " - "verification of other-side certificates."); - goto fail; - } else { PySSL_BEGIN_ALLOW_THREADS - ret = SSL_CTX_load_verify_locations(self->ctx, - cacerts_file, - NULL); + ret = SSL_CTX_set_default_verify_paths(self->ctx); PySSL_END_ALLOW_THREADS - if (ret != 1) { - _setSSLError(NULL, 0, __FILE__, __LINE__); - goto fail; + } else { + /* If cacerts_file is a directory-based cert store, pass it as the + third parameter, CApath, instead + */ + if (stat(cacerts_file, &stat_buf) == 0 && S_ISDIR(stat_buf.st_mode)) { + PySSL_BEGIN_ALLOW_THREADS + ret = SSL_CTX_load_verify_locations(self->ctx, + NULL, + cacerts_file); + PySSL_END_ALLOW_THREADS + } else { + PySSL_BEGIN_ALLOW_THREADS + ret = SSL_CTX_load_verify_locations(self->ctx, + cacerts_file, + NULL); + PySSL_END_ALLOW_THREADS } } + + if (ret != 1) { + _setSSLError(NULL, 0, __FILE__, __LINE__); + goto fail; + } } if (key_file) { PySSL_BEGIN_ALLOW_THREADS