homepage

I think we can improve the situation with shipping our own CA certs. Almost every operating system or distribution comes with a set of CA certs.
I lots of Linux distributions and most BSD systems. All except FreeBSD install CA certs by default. A fresh FreeBSD systems doesn't have certs but ``pkg_add -r ca-root-nss`` fixes that. At least some versions of SuSE don't have a cafile but rather a capath directory. On Windows #17134 and #16487 are going to allow us to use Windows' cert store through crypt32.dll.
Here is a full list:
cert_paths = [
 # Debian, Ubuntu, Arch, SuSE
 # NetBSD (security/mozilla-rootcerts)
 "/etc/ssl/certs/",
 # Debian, Ubuntu, Arch: maintained by update-ca-certificates
 "/etc/ssl/certs/ca-certificates.crt",
 # Red Hat 5+, Fedora, Centos
 "/etc/pki/tls/certs/ca-bundle.crt",
 # Red Hat 4
 "/usr/share/ssl/certs/ca-bundle.crt",
 # FreeBSD (security/ca-root-nss package)
 "/usr/local/share/certs/ca-root-nss.crt",
 # FreeBSD (deprecated security/ca-root package, removed 2008)
 "/usr/local/share/certs/ca-root.crt",
 # FreeBSD (optional symlink)
 # OpenBSD
 "/etc/ssl/cert.pem",
 # Mac OS X
 "/System/Library/OpenSSL/certs/cert.pem",
 ]
I'd like to add the list to our ssl.py and add an API to check and load certs from that files, directories and other places (Windows).