Per default, Python's httplib.HTTPSConnection is using the system's trust store to validate a HTTPS certificate. (How) is it possible to set a different CA list to do the validation, replacing the default one?
I tried to set the SSLContext used by httplib (see below), but this only adds the certs from the given file; it does not stop the validator from loading more certs from the system's store if needed.
c = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
c.load_verify_locations(cafile='mozillacerts.pem', capath=None)
conn = httplib.HTTPSConnection(domain, port, context=c)
To be clear: I want the validation to fail if it is not possible to validate the trust path with the certs in the given file.
(I am using Python 2.7.11 on Debian 8 for this.)
As it seems this is not really possible, we 'solved' the problem by using Python-requests, since it allows us to set the CA bundle.
requests.get('https://' + domain, verify='mozillacerts.pem')