Fix #1680 - Use System SSL Certificates if Available

2014-06-12 22:59:01 -04:00 · 2014-06-12 22:59:01 -04:00 · 4a8173c4ed
parent 868671a62c
commit 4a8173c4ed
3 changed files with 40 additions and 2 deletions
--- a/CHANGES.txt
+++ b/CHANGES.txt
@ -45,6 +45,9 @@
  until their removal in pip v1.8. For more information please see
  https://pip.pypa.io/en/latest/reference/pip_install.html#caching

+* Fixed :issue:`1680`. Attempt to locate system TLS certificates to use instead
+  of the included CA Bundle if possible. (:pull:`1866`)
+

 **1.5.7**

--- a/pip/cmdoptions.py
+++ b/pip/cmdoptions.py
@ -10,7 +10,7 @@ pass on state. To be consistent, all options will follow this design.
 import copy
 from optparse import OptionGroup, SUPPRESS_HELP, Option
 from pip.locations import (
-    USER_CACHE_DIR, build_prefix, default_log_file, src_prefix,
+    CA_BUNDLE_PATH, USER_CACHE_DIR, build_prefix, default_log_file, src_prefix,
 )


@ -164,7 +164,7 @@ cert = OptionMaker(
    '--cert',
    dest='cert',
    type='str',
-    default='',
+    default=CA_BUNDLE_PATH,
    metavar='path',
    help="Path to alternate CA bundle.")

--- a/pip/locations.py
+++ b/pip/locations.py
@ -2,6 +2,7 @@

 import getpass
 import os
+import os.path
 import site
 import sys
 import tempfile
@ -11,12 +12,46 @@ from distutils.command.install import install, SCHEME_KEYS

 from pip import appdirs
 from pip.compat import get_path_uid
+
 import pip.exceptions


 # Hack for flake8
 install

+
+# CA Bundle Locations
+CA_BUNDLE_PATHS = [
+    # Debian/Ubuntu/Gentoo etc.
+    "/etc/ssl/certs/ca-certificates.crt",
+
+    # Fedora/RHEL
+    "/etc/pki/tls/certs/ca-bundle.crt",
+
+    # OpenSUSE
+    "/etc/ssl/ca-bundle.pem",
+
+    # OpenBSD
+    "/etc/ssl/cert.pem",
+
+    # FreeBSD/DragonFly
+    "/usr/local/share/certs/ca-root-nss.crt",
+
+    # Homebrew on OSX
+    "/usr/local/etc/openssl/cert.pem",
+]
+
+# Attempt to locate a CA Bundle that we can pass into requests, we have a list
+# of possible ones from various systems. If we cannot find one then we'll set
+# this to None so that we default to whatever requests is setup to handle.
+#
+# Note to Downstream: If you wish to disable this autodetection and simply use
+#                     whatever requests does (likely you've already patched
+#                     requests.certs.where()) then simply edit this line so
+#                     that it reads ``CA_BUNDLE_PATH = None``.
+CA_BUNDLE_PATH = next((x for x in CA_BUNDLE_PATHS if os.path.exists(x)), None)
+
+
 # Application Directories
 USER_CACHE_DIR = appdirs.user_cache_dir("pip")