Index: Lib/ssl.py
===================================================================
--- Lib/ssl.py.orig
+++ Lib/ssl.py
@@ -217,6 +217,8 @@ class SSLSocket(socket):
             self.context.verify_mode = cert_reqs
             if ca_certs:
                 self.context.load_verify_locations(ca_certs)
+            else:
+                self.context.set_default_verify_paths()
             if certfile:
                 self.context.load_cert_chain(certfile, keyfile)
             if ciphers:
Index: Doc/library/ssl.rst
===================================================================
--- Doc/library/ssl.rst.orig
+++ Doc/library/ssl.rst
@@ -96,7 +96,8 @@ instead.
    provided.  It must be one of the three values :const:`CERT_NONE`
    (certificates ignored), :const:`CERT_OPTIONAL` (not required, but validated
    if provided), or :const:`CERT_REQUIRED` (required and validated).  If the
-   value of this parameter is not :const:`CERT_NONE`, then the ``ca_certs``
+   value of this parameter is not :const:`CERT_NONE` and the OpenSSL library
+   was not built with a default certificate store, then the ``ca_certs``
    parameter must point to a file of CA certificates.
 
    The ``ca_certs`` file contains a set of concatenated "certification
@@ -269,9 +270,10 @@ Constants
    are provided, validation will be attempted and an :class:`SSLError`
    will be raised on failure.
 
-   Use of this setting requires a valid set of CA certificates to
-   be passed, either to :meth:`SSLContext.load_verify_locations` or as a
-   value of the ``ca_certs`` parameter to :func:`wrap_socket`.
+   If the OpenSSL library was not built with a default certificate store, use
+   of this setting requires a valid set of CA certificates to be passed,
+   either to :meth:`SSLContext.load_verify_locations` or as a value of the
+   ``ca_certs`` parameter to :func:`wrap_socket`.
 
 .. data:: CERT_REQUIRED
 
@@ -280,9 +282,10 @@ Constants
    required from the other side of the socket connection; an :class:`SSLError`
    will be raised if no certificate is provided, or if its validation fails.
 
-   Use of this setting requires a valid set of CA certificates to
-   be passed, either to :meth:`SSLContext.load_verify_locations` or as a
-   value of the ``ca_certs`` parameter to :func:`wrap_socket`.
+   If the OpenSSL library was not built with a default certificate store, use
+   of this setting requires a valid set of CA certificates to be passed,
+   either to :meth:`SSLContext.load_verify_locations` or as a value of the
+   ``ca_certs`` parameter to :func:`wrap_socket`.
 
 .. data:: PROTOCOL_SSLv2
 
@@ -683,7 +686,8 @@ CA certificates
 ^^^^^^^^^^^^^^^
 
 If you are going to require validation of the other side of the connection's
-certificate, you need to provide a "CA certs" file, filled with the certificate
+certificate, and OpenSSL was not built with a default certificate store
+location, you need to provide a "CA certs" file, filled with the certificate
 chains for each issuer you are willing to trust.  Again, this file just contains
 these chains concatenated together.  For validation, Python will use the first
 chain it finds in the file which matches.  Some "standard" root certificates are