Skip to content

Support /etc/pki/tls cert store for older RHEL/Fedora systems #976

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mrmathematica wants to merge 2 commits into
base: main
Choose a base branch
from
+29 −0
Open

Support /etc/pki/tls cert store for older RHEL/Fedora systems #976

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0ec4f54
Support /etc/pki/tls cert store for older RHEL/Fedora systems
Feb 10, 2026
53f3a8a
patch SSLContext.load_default_certs instead
Feb 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions cpython-unix/build-cpython.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,11 @@ if [ "${PYTHON_MAJMIN_VERSION}" = 3.12 ] || [ "${PYTHON_MAJMIN_VERSION}" = 3.13
patch -p1 -i ${ROOT}/patch-test-embed-prevent-segfault.patch
fi

# RHEL 8 (supported until 2029) and below, including Fedora 33 and below, do not
# ship an /etc/ssl/cert.pem or a hashed /etc/ssl/cert/ directory. Patch to look at
# /etc/pki/tls/cert.pem instead, if that file exists and /etc/ssl/cert.pem does not.
patch -p1 -i ${ROOT}/patch-cpython-redhat-cert-file.patch

# Cherry-pick an upstream change in Python 3.15 to build _asyncio as
# static (which we do anyway in our own fashion) and more importantly to
# take this into account when finding the AsyncioDebug section.
Expand Down
24 changes: 24 additions & 0 deletions cpython-unix/patch-cpython-redhat-cert-file.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 42ebb8ed384..2cf7e64e18e 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -423,6 +423,7 @@ class SSLContext(_SSLContext):
"""An SSLContext holds various SSL-related configuration options and
data, such as certificates and possibly a private key."""
_windows_cert_stores = ("CA", "ROOT")
+ _FALLBACK_CERT_FILE = "/etc/pki/tls/cert.pem" # RHEL 8 and below, Fedora 33 and below

sslsocket_class = None # SSLSocket is assigned later.
sslobject_class = None # SSLObject is assigned later.
@@ -531,6 +532,11 @@ def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
if sys.platform == "win32":
for storename in self._windows_cert_stores:
self._load_windows_store_certs(storename, purpose)
+ elif sys.platform == "linux":
+ _def_paths = _ssl.get_default_verify_paths()
+ openssl_cafile = os.environ.get(_def_paths[0], _def_paths[1])
+ if not os.path.isfile(openssl_cafile) and os.path.isfile(self._FALLBACK_CERT_FILE):
+ self.load_verify_locations(cafile=self._FALLBACK_CERT_FILE)
self.set_default_verify_paths()

if hasattr(_SSLContext, 'minimum_version'):
Loading