Comment 3 for bug 1678686

Sean, well, you could get them with:

import ssl
ssl.get_default_verify_paths().openssl_cafile

as opposed to using the set_.* function.

Currently, the default CA bundle is the same as the one for python-requests, since it's what keystoneauth's session uses. And it's using some default already: http://docs.python-requests.org/en/master/user/advanced/#ca-certificates

So you might want to discuss this in the mailing list, since this might change the behavior of a LOT of OpenStack services, since most use keystoneauth's sessions.