Yes, as we've discussed, using the Apple Crypto APIs would be nice longer-term assuming the compatibility issues can be managed: the set of available APIs appear to have been evolving over the past several OS X releases.  But moving away from openssl seems out of scope for maintenance releases.  The reason why I brought this up now is to try to determine if there are any newer ssl features that may be need to be batteries-included to deal with possible changes to Distutils and/or its users (pip, et al).   

Managing the CA certificates certainly is another issue.  We should investigate what Apple and third-party distributors of openssl on OS X do.  It would be best to be able to use the system-supplied ones since they are actively managed by Apple and can be by the user.

Also, it would be good to know how the Python Windows distribution handles openssl and certificates.  Martin?  Brian?