From owner-freebsd-python@FreeBSD.ORG  Mon Dec 29 05:18:49 2014
Return-Path: <owner-freebsd-python@FreeBSD.ORG>
Delivered-To: python@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 17612EAB
 for <python@freebsd.org>; Mon, 29 Dec 2014 05:18:49 +0000 (UTC)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com
 [IPv6:2a00:1450:400c:c00::232])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9E000640D1
 for <python@freebsd.org>; Mon, 29 Dec 2014 05:18:48 +0000 (UTC)
Received: by mail-wg0-f50.google.com with SMTP id a1so18165350wgh.37
 for <python@freebsd.org>; Sun, 28 Dec 2014 21:18:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:from:date:message-id:subject:to:content-type;
 bh=6IlmSoxg9t2s/WqklzEr26HDnV+TBOxfnEr/C0hJHEA=;
 b=HmYKmLfaqtwXJWlBr1y7OZXZHOYM52Dlo7xbwV9RigSYvv5bTSvP055GNlHXc96OP0
 JYOK4H/1bnGzuWIC0V1/tDFE8+SGoIoblho5zEhakJZF1ghCxrSv6ZGaq8nRcdr/LPRD
 3F1u14rSyj74vb16Pnpi4JiauV+hBJicIBcdWhBRvY0VHYZXjEER4gm9/erNnNVcKUyo
 Ia/Z0KS7Da4TZXzj8nHAU65a+hfG4ycJT455bteWBoiUXv9lVpdIkjQLo2rPhpiy0NN8
 NXCYbjEL82HoLftvJQ8sRx1ONfhRZ8Ex1F6rKAwYbvZQyetvTqc45T4CcVC7AuLW+DN/
 f3MQ==
X-Received: by 10.194.205.138 with SMTP id lg10mr76262863wjc.130.1419830325590; 
 Sun, 28 Dec 2014 21:18:45 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.88.3 with HTTP; Sun, 28 Dec 2014 21:18:05 -0800 (PST)
From: "James D. Lin" <jamesdlin@gmail.com>
Date: Sun, 28 Dec 2014 21:18:05 -0800
Message-ID: <CADPatTdEmWSQDDx-eZ8ba3Pa_a2phzGME8CbeTcvpSPvckB45Q@mail.gmail.com>
Subject: Python 2.7.9 looks for SSL certificates in /etc/ssl instead of
 /usr/local/etc/ssl
To: python@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-python@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: FreeBSD-specific Python issues <freebsd-python.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-python>,
 <mailto:freebsd-python-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-python/>
List-Post: <mailto:freebsd-python@freebsd.org>
List-Help: <mailto:freebsd-python-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-python>,
 <mailto:freebsd-python-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 05:18:49 -0000

Hello,

I recently upgraded to Python 2.7.9 from the ports collection on my FreeBSD
10.0 system, and Python 2.7.9's change to enable SSL verification
unexpectedly broke several of my Python scripts that made https connections
to sites with valid SSL certificates.  The reason is that Python is looking
for the CA file at /etc/ssl/cert.pem, which does not exist in my FreeBSD
installation.  I do, however, have a /usr/local/etc/ssl/cert.pem file
(which is actually a symlink to /usr/local/share/certs/ca-root-nss.crt):
Calling ssl.get_default_verify_paths() in Python returns:

DefaultVerifyPaths(cafile=None,
                   capath=None,
                   openssl_cafile_env='SSL_CERT_FILE',
                   openssl_cafile='/etc/ssl/cert.pem',
                   openssl_capath_env='SSL_CERT_DIR',
                   openssl_capath='/etc/ssl/certs')

Is this something that can (and should) be corrected in the Python 2.7.9
port?

Thanks,

- James