From dd185f923919137b0f5ecdc0bc6d46011259e1b9 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Tue, 11 Jan 2022 17:18:27 -0800
Subject: [PATCH] Always set OpenSSL default paths

Previously if you set `SSL_CERT_FILE` to a directory with no certs,
this script would fail:

```
```ruby
require 'openssl'
require 'excon'

ENV['SSL_CERT_DIR'] = '/path/to/no/ssl/certs/'

excon = Excon.new('https://www.google.com')
excon.get
```

However, the same script with `Net::HTTP` works fine:

```
require 'openssl'
require 'net/http'

ENV['SSL_CERT_DIR'] = '/path/to/no/ssl/certs/'

Net::HTTP.get(URI('https://www.google.com'))
```

To match the behavior of Net::HTTP, always call
`OpenSSL::X509::Store#set_default_paths` unless there is a store
specified.
---
 lib/excon/ssl_socket.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/excon/ssl_socket.rb b/lib/excon/ssl_socket.rb
index 897786f5..db51f081 100644
--- a/lib/excon/ssl_socket.rb
+++ b/lib/excon/ssl_socket.rb
@@ -54,11 +54,13 @@ def initialize(data = {})
           ssl_context.cert_store = cert_store
         end
 
-        # no defaults, fallback to bundled
-        unless ca_file || ca_path || cert_store
+        if cert_store.nil?
           ssl_context.cert_store = OpenSSL::X509::Store.new
           ssl_context.cert_store.set_default_paths
+        end
 
+        # no defaults, fallback to bundled
+        unless ca_file || ca_path || cert_store
           # workaround issue #257 (JRUBY-6970)
           ca_file = DEFAULT_CA_FILE
           ca_file = ca_file.gsub(/^jar:/, '') if ca_file =~ /^jar:file:\//