From 0a2b25187faea1fa29a3b21935cd55294b173bf8 Mon Sep 17 00:00:00 2001
From: Kyle Morton <kylemorton@google.com>
Date: Fri, 26 Jun 2015 14:57:00 -0700
Subject: [PATCH] Fixing how certifi is made the default ca_path to simplify
 calling logic.

---
 netlib/tcp.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/netlib/tcp.py b/netlib/tcp.py
index 74a275c96..38b77c9ef 100644
--- a/netlib/tcp.py
+++ b/netlib/tcp.py
@@ -390,7 +390,7 @@ class _Connection(object):
                             method=SSL_DEFAULT_METHOD,
                             options=SSL_DEFAULT_OPTIONS,
                             verify_options=SSL.VERIFY_NONE,
-                            ca_path=certifi.where(),
+                            ca_path=None,
                             ca_pemfile=None,
                             cipher_list=None,
                             alpn_protos=None,
@@ -421,6 +421,8 @@ class _Connection(object):
                 return is_cert_verified
 
             context.set_verify(verify_options, verify_cert)
+            if ca_path is None and ca_pemfile is None:
+                ca_path = certifi.where()
             context.load_verify_locations(ca_pemfile, ca_path)
 
         # Workaround for