From 664c2d1fc072d0cbd9b92a1cd5c9ac9ad7db326e Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <solipsis@pitrou.net>
Date: Wed, 17 Nov 2010 20:29:42 +0000
Subject: [PATCH] Issue #10443: Add the SSLContext.set_default_verify_paths()
 method.

---
 Doc/library/ssl.rst  |  9 +++++++++
 Lib/test/test_ssl.py |  6 ++++++
 Misc/NEWS            |  2 ++
 Modules/_ssl.c       | 12 ++++++++++++
 4 files changed, 29 insertions(+)

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 39d1cfec96..b4139b8793 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -536,6 +536,15 @@ to speed up repeated connections from the same clients.
    following an `OpenSSL specific layout
    <http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html>`_.
 
+.. method:: SSLContext.set_default_verify_paths()
+
+   Load a set of default "certification authority" (CA) certificates from
+   a filesystem path defined when building the OpenSSL library.  Unfortunately,
+   there's no easy way to know whether this method succeeds: no error is
+   returned if no certificates are to be found.  When the OpenSSL library is
+   provided as part of the operating system, though, it is likely to be
+   configured properly.
+
 .. method:: SSLContext.set_ciphers(ciphers)
 
    Set the available ciphers for sockets created with this context.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index df9b987289..087f964523 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -412,6 +412,12 @@ class ContextTests(unittest.TestCase):
                 'cache_full': 0,
             })
 
+    def test_set_default_verify_paths(self):
+        # There's not much we can do to test that it acts as expected,
+        # so just check it doesn't crash or raise an exception.
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        ctx.set_default_verify_paths()
+
 
 class NetworkedTests(unittest.TestCase):
 
diff --git a/Misc/NEWS b/Misc/NEWS
index 5580333fae..4312186067 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #10443: Add the SSLContext.set_default_verify_paths() method.
+
 - Issue #10440: Support RUSAGE_THREAD as a constant in the resource module.
   Patch by Robert Collins.
 
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 78ea293b39..c2b976a843 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1783,6 +1783,16 @@ error:
     return NULL;
 }
 
+static PyObject *
+set_default_verify_paths(PySSLContext *self, PyObject *unused)
+{
+    if (!SSL_CTX_set_default_verify_paths(self->ctx)) {
+        _setSSLError(NULL, 0, __FILE__, __LINE__);
+        return NULL;
+    }
+    Py_RETURN_NONE;
+}
+
 static PyGetSetDef context_getsetlist[] = {
     {"options", (getter) get_options,
                 (setter) set_options, NULL},
@@ -1802,6 +1812,8 @@ static struct PyMethodDef context_methods[] = {
                               METH_VARARGS | METH_KEYWORDS, NULL},
     {"session_stats", (PyCFunction) session_stats,
                       METH_NOARGS, NULL},
+    {"set_default_verify_paths", (PyCFunction) set_default_verify_paths,
+                                 METH_NOARGS, NULL},
     {NULL, NULL}        /* sentinel */
 };
 
-- 
2.40.0