From fbf8567a79a84ee0379e11dbecf215768dcaa706 Mon Sep 17 00:00:00 2001
From: Ryan Laughlin <rofreg@gmail.com>
Date: Fri, 30 Sep 2016 16:39:44 -0400
Subject: [PATCH] Fix SSL error

This fixes an issue that occurs when a user supplies a custom SSL cert w/ intermediate certs that contradict the default certifi set of root certificates. In particular, this addressed an issue where the "COMODO RSA Certification Authority" cert in certifi is NOT trusted on OS X by default as of OS X 10.11.6. Even when the user manually supplied a different valid "COMODO RSA Certification Authority" cert in their custom SSL cert .pem file, that cert would be overridden by certifi's default cert.
---
 netlib/tcp.py | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/netlib/tcp.py b/netlib/tcp.py
index b1a6db5a7..64b9ce3bd 100644
--- a/netlib/tcp.py
+++ b/netlib/tcp.py
@@ -817,7 +817,7 @@ class BaseHandler(_Connection):
             until then we're conservative.
         """
 
-        context = self._create_ssl_context(**sslctx_kwargs)
+        context = self._create_ssl_context(ca_pemfile=chain_file, **sslctx_kwargs)
 
         context.use_privatekey(key)
         if isinstance(cert, certutils.SSLCert):
@@ -840,10 +840,6 @@ class BaseHandler(_Connection):
                 return True
             context.set_verify(SSL.VERIFY_PEER, save_cert)
 
-        # Cert Verify
-        if chain_file:
-            context.load_verify_locations(chain_file)
-
         if dhparams:
             SSL._lib.SSL_CTX_set_tmp_dh(context._context, dhparams)