Use the "cacert.pem" file from the "mozilla-rootcerts" package as an *extra*

location to load CA certificates from in the "ssl" module.

HTTPS requests to a site with a valid certificate now work out of the box
(even without the "mozilla-rootcerts-openssl").

3 files changed, 31 insertions, 2 deletions

diff --git a/lang/python27/Makefile b/lang/python27/Makefile
index a4bd8a2f331..034704f5bff 100644
--- a/lang/python27/Makefile
+++ b/lang/python27/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.54 2015/12/06 18:22:35 adam Exp $
+# $NetBSD: Makefile,v 1.55 2016/02/06 11:25:09 tron Exp $
 
 .include "dist.mk"
 
 PKGNAME=	python27-${PY_DISTVERSION}
+PKGREVISION=	1
 CATEGORIES=	lang python
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
@@ -10,6 +11,8 @@ HOMEPAGE=	http://www.python.org/
 COMMENT=	Interpreted, interactive, object-oriented programming language
 LICENSE=	python-software-foundation
 
+DEPENDS=	mozilla-rootcerts>=1.0.20150804nb1:../../security/mozilla-rootcerts
+
 CONFLICTS+=	python-[0-9]*
 
 GNU_CONFIGURE=		yes
@@ -171,6 +174,12 @@ SUBST_STAGE.sslbase=	pre-configure
 SUBST_FILES.sslbase=	setup.py
 SUBST_VARS.sslbase=	SSLBASE
 
+SUBST_CLASSES+=		cacert
+SUBST_MESSAGE.cacert=	Configuring location of default CA certificate file.
+SUBST_STAGE.cacert=	pre-configure
+SUBST_FILES.cacert=	Modules/_ssl.c
+SUBST_SED.cacert=	-e 's,@PREFIX@,${PREFIX},'
+
 post-extract:
 	${LN} -s ${WRKSRC}/Lib/smtpd.py ${WRKSRC}/Tools/scripts/smtpd${PY_VER_SUFFIX}.py
 	${MV} ${WRKSRC}/Tools/scripts/pydoc ${WRKSRC}/Tools/scripts/pydoc${PY_VER_SUFFIX}
diff --git a/lang/python27/distinfo b/lang/python27/distinfo
index efb5352c0d0..f7d462c6c66 100644
--- a/lang/python27/distinfo
+++ b/lang/python27/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.53 2015/12/06 18:22:35 adam Exp $
+$NetBSD: distinfo,v 1.54 2016/02/06 11:25:09 tron Exp $
 
 SHA1 (Python-2.7.11.tar.xz) = c3b8bbe3f084c4d4ea13ffb03d75a5e22f9756ff
 RMD160 (Python-2.7.11.tar.xz) = 215c72b1d81e878a675984783ed8df041ee7539c
@@ -8,6 +8,7 @@ SHA1 (patch-Include_pyerrors.h) = 0d2cd52d18cc719b895fa32ed7e11c6cb15bae54
 SHA1 (patch-Include_pyport.h) = f3e4ddbc954425a65301465410911222ca471320
 SHA1 (patch-Lib_distutils_unixccompiler.py) = def4142633b8f6b75e905b5c57be1d5c19b42d33
 SHA1 (patch-Lib_multiprocessing_process.py) = 15699bd8ec822bf54a0631102e00e0a34f882803
+SHA1 (patch-Modules__ssl.c) = 6e68f88ad205106691900f091a897ffe0a4c363c
 SHA1 (patch-Modules_getaddrinfo.c) = aa699d257f1bc98b9a3183a21324053e134409d1
 SHA1 (patch-Modules_getpath.c) = 9bb2c040895ad6bbe4d0b5807803723b5437d47b
 SHA1 (patch-Modules_posixmodule.c) = 5105d380cd49bf49b8adbd9aa5ffb245195728ed
diff --git a/lang/python27/patches/patch-Modules__ssl.c b/lang/python27/patches/patch-Modules__ssl.c
new file mode 100644
index 00000000000..94cfc7dd0f1
--- /dev/null
+++ b/lang/python27/patches/patch-Modules__ssl.c
@@ -0,0 +1,19 @@
+$NetBSD: patch-Modules__ssl.c,v 1.1 2016/02/06 11:25:09 tron Exp $
+
+Use CA certificate file provided by "mozilla-rootcerts" package by default
+
+--- Modules/_ssl.c.orig	2015-12-05 19:47:13.000000000 +0000
++++ Modules/_ssl.c	2016-02-06 11:12:59.865409460 +0000
+@@ -2952,10 +2952,12 @@
+ static PyObject *
+ set_default_verify_paths(PySSLContext *self, PyObject *unused)
+ {
++    const char *cacert_pem = "@PREFIX@/share/mozilla-rootcerts/cacert.pem";
+     if (!SSL_CTX_set_default_verify_paths(self->ctx)) {
+         _setSSLError(NULL, 0, __FILE__, __LINE__);
+         return NULL;
+     }
++    SSL_CTX_load_verify_locations(self->ctx, cacert_pem, NULL);
+     Py_RETURN_NONE;
+ }
+