For effective SSL server cert validation a bundle of trustworthy CA certs is required. Most system ship such a bundle but it's not always possible to access the bundle from Python / OpenSSL. Windows and Mac OS X come into my mind. wget and curl ship a copy of Mozilla's CA cert bundle.

The site http://curl.haxx.se/docs/caextract.html explains how to extract the CA certs in PEM format. I suggest that we ship the CA bundle with Python and use a lookup chain:

- user defined path to a cacert directory or cacert.pem file

- cacert directory or PEM file in the user's home directory: 
  cacertdir = os.path.join(site.USER_SITE, os.pardir, "cacert")
  cacertfile = os.path.join(site.USER_SITE, os.pardir, "cacert.pem")

- system's ca cert directory (/etc/ssl/certs on Linux)

- CA cert bundle shipped with the Python installation.

Shouldn't it be a duplicate of issue13655?

FYI, at the moment, the PSF OS X installers dynamically link with the operating system supplied libssl and use its CA management policies.  Issue17128 proposes changing that because Apple has deprecated the use of the system openssl in OS X.

Agree this is a duplicate.  I also think it’s a feature request.

Yes, it's a duplicate of #13665. Sorry, I didn't make a proper search. Although this is a new feature it's a fundament for cert validation.

I found a recipe to retrieve CA certs from Window's cert store, see #17134.