python-urllib3/urllib3-ssl-default-context.patch

--- a/src/urllib3/util/ssl_.py
+++ b/src/urllib3/util/ssl_.py
@@ -333,6 +333,8 @@ def ssl_wrap_socket(sock, keyfile=None,
     elif ssl_context is None and hasattr(context, 'load_default_certs'):
         # try to load OS default certs; works well on Windows (require Python3.4+)
         context.load_default_certs()
+    elif cert_reqs != ssl.CERT_NONE and hasattr(context, 'set_default_verify_paths'):
+        context.set_default_verify_paths()
 
     if certfile:
         context.load_cert_chain(certfile, keyfile)