From 0d3ed3af2c08ad2a659837e964a01ef173bf5d66 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Fri, 5 Aug 2016 15:42:57 +0200
Subject: [PATCH] Explicitly use certificate chain.

---
 pillar/api/blender_id.py | 1 +
 pillar/config.py         | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/pillar/api/blender_id.py b/pillar/api/blender_id.py
index c1d51241..c9db2962 100644
--- a/pillar/api/blender_id.py
+++ b/pillar/api/blender_id.py
@@ -167,6 +167,7 @@ def validate_token(user_id, token, oauth_subclient_id):
     # Retry a few times when POSTing to BlenderID fails.
     # Source: http://stackoverflow.com/a/15431343/875379
     s = requests.Session()
+    s.verify = current_app.config['TLS_CERT_FILE']
     s.mount(blender_id_endpoint(), HTTPAdapter(max_retries=5))
 
     # POST to Blender ID, handling errors as negative verification results.
diff --git a/pillar/config.py b/pillar/config.py
index 8344a3af..4314a70b 100644
--- a/pillar/config.py
+++ b/pillar/config.py
@@ -1,6 +1,11 @@
 import os.path
 from os import getenv
 from collections import defaultdict
+import requests.certs
+
+# Certificate file for communication with other systems.
+TLS_CERT_FILE = requests.certs.where()
+print('Loading TLS certificates from %s' % TLS_CERT_FILE)
 
 import requests.certs