new file mode 100644
@@ -0,0 +1,41 @@
+Fix default certificate search path, still allowing the user to override it
+with environment variables.
+
+--- a/lib_pypy/_cffi_ssl/_stdssl/__init__.py
++++ b/lib_pypy/_cffi_ssl/_stdssl/__init__.py
+@@ -1679,20 +1679,9 @@ def get_default_verify_paths():
+ https://golang.org/src/crypto/x509/root_linux.go (for the files)
+ '''
+ certFiles = [
+- "/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu/Gentoo etc.
+- "/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL 6
+- "/etc/ssl/ca-bundle.pem", # OpenSUSE
+- "/etc/pki/tls/cacert.pem", # OpenELEC
+- "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", # CentOS/RHEL 7
+- "/etc/ssl/cert.pem", # Alpine Linux
+ ]
+ certDirectories = [
+- "/etc/ssl/certs", # SLES10/SLES11
+- "/system/etc/security/cacerts", # Android
+- "/usr/local/share/certs", # FreeBSD
+- "/etc/pki/tls/certs", # Fedora/RHEL
+- "/etc/openssl/certs", # NetBSD
+- "/var/ssl/certs", # AIX
++ "@GUIX_CERT_PATH@",
+ ]
I'm not sure about removing these bits. pypy3 from Guix may be used on
Debian or Fedora, and maybe using certificates from those systems would
be appropriate then?
+
+ # optimization: reuse the values from a local varaible
+@@ -1707,9 +1696,10 @@ def get_default_verify_paths():
+ ofile = _cstr_decode_fs(lib.X509_get_default_cert_file())
+ odir = _cstr_decode_fs(lib.X509_get_default_cert_dir())
+
+- if os.path.exists(ofile) and os.path.exists(odir):
+- get_default_verify_paths.retval = (ofile_env, ofile, odir_env, odir)
+- return get_default_verify_paths.retval
++ if not os.path.exists(ofile):
++ ofile = None