From c79c39c9e51e4db163b63e33ba584b72bcab440f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Fri, 5 Aug 2016 15:42:57 +0200
Subject: [PATCH] Explicitly use certificate chain.

---
 pillar/application/modules/blender_id.py | 1 +
 pillar/config.py                         | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/pillar/application/modules/blender_id.py b/pillar/application/modules/blender_id.py
index f1938288..e5fc994d 100644
--- a/pillar/application/modules/blender_id.py
+++ b/pillar/application/modules/blender_id.py
@@ -170,6 +170,7 @@ def validate_token(user_id, token, oauth_subclient_id):
     # Retry a few times when POSTing to BlenderID fails.
     # Source: http://stackoverflow.com/a/15431343/875379
     s = requests.Session()
+    s.verify = current_app.config['TLS_CERT_FILE']
     s.mount(blender_id_endpoint(), HTTPAdapter(max_retries=5))
 
     # POST to Blender ID, handling errors as negative verification results.
diff --git a/pillar/config.py b/pillar/config.py
index e5f2df88..cacc0a87 100644
--- a/pillar/config.py
+++ b/pillar/config.py
@@ -1,5 +1,10 @@
 import os.path
 from collections import defaultdict
+import requests.certs
+
+# Certificate file for communication with other systems.
+TLS_CERT_FILE = requests.certs.where()
+print('Loading TLS certificates from %s' % TLS_CERT_FILE)
 
 RFC1123_DATE_FORMAT = '%a, %d %b %Y %H:%M:%S GMT'