Antoine Pitrou added the comment: > and it is not reproducible using openssl s_client
I have determined that s_client is buggy. It will always load the system certs *if and only if* you also pass it a valid custom CA cert (which is the reverse of what's expected). This is where it happens (in apps/s_client.c): if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(ctx))) { /* * BIO_printf(bio_err,"error setting default verify locations\n"); */ ERR_print_errors(bio_err); /* goto end; */ } This is why I forced SSL_CERT_* to empty locations in the examples above, so that only the custom CA bundle is used. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue23476> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com