Index: Modules/_ssl.c
===================================================================
--- Modules/_ssl.c.orig
+++ Modules/_ssl.c
@@ -327,9 +327,13 @@ newPySSLObject(PySocketSockObject *Sock,
 
     if (certreq != PY_SSL_CERT_NONE) {
         if (cacerts_file == NULL) {
-            errstr = ERRSTR("No root certificates specified for "
-                            "verification of other-side certificates.");
-            goto fail;
+            PySSL_BEGIN_ALLOW_THREADS
+            ret = SSL_CTX_set_default_verify_paths(self->ctx);
+            PySSL_END_ALLOW_THREADS
+            if (ret != 1) {
+                _setSSLError(NULL, 0, __FILE__, __LINE__);
+                goto fail;
+            }
         } else {
             PySSL_BEGIN_ALLOW_THREADS
             ret = SSL_CTX_load_verify_locations(self->ctx,
Index: Doc/library/ssl.rst
===================================================================
--- Doc/library/ssl.rst.orig
+++ Doc/library/ssl.rst
@@ -91,7 +91,8 @@ Functions, Constants, and Exceptions
    provided.  It must be one of the three values :const:`CERT_NONE`
    (certificates ignored), :const:`CERT_OPTIONAL` (not required, but validated
    if provided), or :const:`CERT_REQUIRED` (required and validated).  If the
-   value of this parameter is not :const:`CERT_NONE`, then the ``ca_certs``
+   value of this parameter is not :const:`CERT_NONE` and the OpenSSL library
+   was not built with a default certificate store, then the ``ca_certs``
    parameter must point to a file of CA certificates.
 
    The ``ca_certs`` file contains a set of concatenated "certification
@@ -226,14 +227,15 @@ Functions, Constants, and Exceptions
    certificates will be required from the other side of the socket connection,
    but if they are provided, will be validated.  Note that use of this setting
    requires a valid certificate validation file also be passed as a value of the
-   ``ca_certs`` parameter.
+   ``ca_certs`` parameter if the OpenSSL library was not built with a default.
 
 .. data:: CERT_REQUIRED
 
    Value to pass to the ``cert_reqs`` parameter to :func:`sslobject` when
    certificates will be required from the other side of the socket connection.
    Note that use of this setting requires a valid certificate validation file
-   also be passed as a value of the ``ca_certs`` parameter.
+   also be passed as a value of the ``ca_certs`` parameter if the OpenSSL
+   library was not built with a default.
 
 .. data:: PROTOCOL_SSLv2
 
@@ -447,7 +449,8 @@ certification authority's certificate::
       -----END CERTIFICATE-----
 
 If you are going to require validation of the other side of the connection's
-certificate, you need to provide a "CA certs" file, filled with the certificate
+certificate, and OpenSSL was not built with a default certificate store
+location, you need to provide a "CA certs" file, filled with the certificate
 chains for each issuer you are willing to trust.  Again, this file just contains
 these chains concatenated together.  For validation, Python will use the first
 chain it finds in the file which matches.