python-httplib2/httplib2-use-system-certs.patch

diff --git a/python2/httplib2/__init__.py b/python2/httplib2/__init__.py
index 32ec959..cf7f2f9 100644
--- a/python2/httplib2/__init__.py
+++ b/python2/httplib2/__init__.py
@@ -83,11 +83,20 @@ def _ssl_wrap_socket(sock, key_file, cert_file, disable_validation,
         cert_reqs = ssl.CERT_NONE
     else:
         cert_reqs = ssl.CERT_REQUIRED
-    if ssl_version is None:
-        ssl_version = ssl.PROTOCOL_SSLv23
-
     if hasattr(ssl, 'SSLContext'):  # Python 2.7.9
-        context = ssl.SSLContext(ssl_version)
+        cafile = ca_certs
+        capath = None
+        if cafile is not None and os.path.isdir(cafile):
+            cafile = None
+            capath = ca_certs
+
+        if ssl_version is None:
+            context = ssl.create_default_context(cafile=cafile, capath=capath)
+            if disable_validation:
+                context.check_hostname = False
+        else:
+            context = ssl.SSLContext(ssl_version)
+
         context.verify_mode = cert_reqs
         context.check_hostname = (cert_reqs != ssl.CERT_NONE)
         if cert_file:
@@ -96,6 +105,9 @@ def _ssl_wrap_socket(sock, key_file, cert_file, disable_validation,
             context.load_verify_locations(ca_certs)
         return context.wrap_socket(sock, server_hostname=hostname)
     else:
+        if ssl_version is None:
+            ssl_version = ssl.PROTOCOL_SSLv23
+
         return ssl.wrap_socket(sock, keyfile=key_file, certfile=cert_file,
                                cert_reqs=cert_reqs, ca_certs=ca_certs,
                                ssl_version=ssl_version)
@@ -210,15 +222,8 @@ class NotRunningAppEngineEnvironment(HttpLib2Error): pass
 # requesting that URI again.
 DEFAULT_MAX_REDIRECTS = 5
 
-try:
-    # Users can optionally provide a module that tells us where the CA_CERTS
-    # are located.
-    import ca_certs_locater
-    CA_CERTS = ca_certs_locater.get()
-except ImportError:
-    # Default CA certificates file bundled with httplib2.
-    CA_CERTS = os.path.join(
-        os.path.dirname(os.path.abspath(__file__ )), "cacerts.txt")
+# Default CA certificates file bundled with httplib2.
+CA_CERTS = None
 
 # Which headers are hop-by-hop headers by default
 HOP_BY_HOP = ['connection', 'keep-alive', 'proxy-authenticate', 'proxy-authorization', 'te', 'trailers', 'transfer-encoding', 'upgrade']
@@ -975,8 +980,6 @@ class HTTPSConnectionWithTimeout(httplib.HTTPSConnection):
                                          cert_file=cert_file, strict=strict)
         self.timeout = timeout
         self.proxy_info = proxy_info
-        if ca_certs is None:
-            ca_certs = CA_CERTS
         self.ca_certs = ca_certs
         self.disable_ssl_certificate_validation = \
                 disable_ssl_certificate_validation
diff --git a/python3/httplib2/__init__.py b/python3/httplib2/__init__.py
index 0000ed9..40f4556 100644
--- a/python3/httplib2/__init__.py
+++ b/python3/httplib2/__init__.py
@@ -124,8 +124,7 @@ DEFAULT_MAX_REDIRECTS = 5
 HOP_BY_HOP = ['connection', 'keep-alive', 'proxy-authenticate', 'proxy-authorization', 'te', 'trailers', 'transfer-encoding', 'upgrade']
 
 # Default CA certificates file bundled with httplib2.
-CA_CERTS = os.path.join(
-        os.path.dirname(os.path.abspath(__file__ )), "cacerts.txt")
+CA_CERTS = None
 
 def _get_end2end_headers(response):
     hopbyhop = list(HOP_BY_HOP)
@@ -838,16 +837,17 @@ class HTTPSConnectionWithTimeout(http.client.HTTPSConnection):
         # TODO: implement proxy_info
         self.proxy_info = proxy_info
         context = None
-        if ca_certs is None:
-            ca_certs = CA_CERTS
-        if (cert_file or ca_certs):
+        if True:
             if not hasattr(ssl, 'SSLContext'):
                 raise CertificateValidationUnsupportedInPython31()
-            context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-            if disable_ssl_certificate_validation:
-                context.verify_mode = ssl.CERT_NONE
-            else:
-                context.verify_mode = ssl.CERT_REQUIRED
+
+            cafile = ca_certs
+            capath = None
+            if cafile is not None and os.path.isdir(cafile):
+                cafile = None
+                capath = ca_certs
+
+            context = ssl.create_default_context(cafile=cafile, capath=capath)
             if cert_file:
                 context.load_cert_chain(cert_file, key_file)
             if ca_certs:
diff --git a/setup.py b/setup.py
index 9c8c86c..34ea20a 100755
--- a/setup.py
+++ b/setup.py
@@ -61,7 +61,6 @@ A comprehensive HTTP client library, ``httplib2`` supports many features left ou
         """,
         package_dir=pkgdir,
         packages=['httplib2'],
-        package_data={'httplib2': ['*.txt']},
         classifiers=[
         'Development Status :: 4 - Beta',
         'Environment :: Web Environment',