Hi there,

This is hopefully the right mailing for this question. We are shipping our own python interpreter in our product, and following some discussions on https://mail.python.org/pipermail/python-dev/2017-January/147282.html, we understand shipping the certificate from certifi in our python is the best approach on Linux/OS X.

Unfortunately, ssl hardcodes at compilation time the default location of certificate. I could workaround this at the python level by patching ssl.SSLContext.load_default_certs to look as follows:

def load_default_certs(...):
....

if sys.platform == "win32":
...

else:

        prefix = os.path.normpath(sys.prefix)
        default_cert = os.path.join(prefix, "ssl", "cert.pem")
        if os.path.isfile(default_cert):
            self.load_verify_locations(default_cert)
        else:
            self.set_default_verify_paths()

While this seems to work, my lack of knowledge in all things related to security and ssl in particular makes me worry to patch anything in there. Is this a sane approach ? If not, is there a better way ?

Thank you,

David