process SSL_CERT_DIR as well

mrmathematica · mrmathematica · commit 6cc9a48ba560 · 2026-03-07T08:36:29.000+08:00
diff --git a/cpython-unix/patch-cpython-redhat-cert-file.patch b/cpython-unix/patch-cpython-redhat-cert-file.patch
@@ -1,16 +1,17 @@
 diff --git a/Lib/ssl.py b/Lib/ssl.py
-index 42ebb8ed384..5cf2575ecd8 100644
+index 42ebb8ed384..c15c0ec940f 100644
 --- a/Lib/ssl.py
 +++ b/Lib/ssl.py
-@@ -423,6 +423,7 @@ class SSLContext(_SSLContext):
+@@ -423,6 +423,8 @@ class SSLContext(_SSLContext):
      """An SSLContext holds various SSL-related configuration options and
      data, such as certificates and possibly a private key."""
      _windows_cert_stores = ("CA", "ROOT")
 +    _FALLBACK_CERT_FILE = "/etc/pki/tls/cert.pem"  # RHEL 8 and below, Fedora 33 and below
++    _FALLBACK_CERT_DIR = "/etc/pki/tls/certs"  # RHEL 8 and below, Fedora 33 and below
  
      sslsocket_class = None  # SSLSocket is assigned later.
      sslobject_class = None  # SSLObject is assigned later.
-@@ -531,6 +532,12 @@ def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
+@@ -531,6 +533,16 @@ def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
          if sys.platform == "win32":
              for storename in self._windows_cert_stores:
                  self._load_windows_store_certs(storename, purpose)
@@ -20,6 +21,10 @@ index 42ebb8ed384..5cf2575ecd8 100644
 +                not os.path.isfile(_def_paths[1]) and
 +                os.path.isfile(self._FALLBACK_CERT_FILE)):
 +                self.load_verify_locations(cafile=self._FALLBACK_CERT_FILE)
++            if (_def_paths[2] not in os.environ and
++                not os.path.isdir(_def_paths[3]) and
++                os.path.isdir(self._FALLBACK_CERT_DIR)):
++                self.load_verify_locations(capath=self._FALLBACK_CERT_DIR)
          self.set_default_verify_paths()
  
      if hasattr(_SSLContext, 'minimum_version'):
