Issue #18143: Implement ssl.get_default_verify_paths() in order to debug

the default locations for cafile and capath.
2025-08-27 12:16:04 +00:00 · 2013-06-09 18:02:55 +02:00 · 2013-06-09 18:02:55 +02:00 · 6d7ad13a45
commit 6d7ad13a45
parent 302b8c31ec
5 changed files with 97 additions and 1 deletions
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@ -89,6 +89,8 @@ ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY

 import textwrap
 import re
+import os
+import collections

 import _ssl             # if we can't import it, let the error propagate

@ -222,6 +224,24 @@ def match_hostname(cert, hostname):
            "subjectAltName fields were found")


+DefaultVerifyPaths = collections.namedtuple("DefaultVerifyPaths",
+    "cafile capath openssl_cafile_env openssl_cafile openssl_capath_env "
+    "openssl_capath")
+
+def get_default_verify_paths():
+    """Return paths to default cafile and capath.
+    """
+    parts = _ssl.get_default_verify_paths()
+
+    # environment vars shadow paths
+    cafile = os.environ.get(parts[0], parts[1])
+    capath = os.environ.get(parts[2], parts[3])
+
+    return DefaultVerifyPaths(cafile if os.path.isfile(cafile) else None,
+                              capath if os.path.isdir(capath) else None,
+                              *parts)
+
+
 class SSLContext(_SSLContext):
    """An SSLContext holds various SSL-related configuration options and
    data, such as certificates and possibly a private key."""