Remove ca-certificates bundle and instead depend on the certifi package.

MANIFEST.in

@@ -1,6 +1,5 @@
 recursive-include demos *.py *.yaml *.html *.css *.js *.xml *.sql README
 include tornado/speedups.c
-include tornado/ca-certificates.crt
 include tornado/test/README
 include tornado/test/csv_translations/fr_FR.csv
 include tornado/test/gettext_translations/fr_FR/LC_MESSAGES/tornado_test.mo

README.rst

@@ -77,12 +77,12 @@ copy of the source tarball as well.
 The Tornado source code is `hosted on GitHub
 <https://github.com/facebook/tornado>`_.
 
-**Prerequisites**: Tornado runs on Python 2.6, 2.7, 3.2, and 3.3.  On
-Python 2, the `backports.ssl_match_hostname
+**Prerequisites**: Tornado runs on Python 2.6, 2.7, 3.2, 3.3, and 3.4.  It
+requires the `certifi <https://pypi.python.org/pypi/certifi>`_ package
+on all Python versions, and the `backports.ssl_match_hostname
 <https://pypi.python.org/pypi/backports.ssl_match_hostname>`_ package
-must be installed (This will be installed automatically when using
-``pip`` or ``easy_install``); on Python 3 there are no strict
-dependencies outside the standard library.  Some Tornado features may
+on Python 2.  These will be installed automatically when using
+``pip`` or ``easy_install``).  Some Tornado features may
 require one of the following optional libraries:
 
 * `unittest2 <https://pypi.python.org/pypi/unittest2>`_ is needed to run

docs/index.rst

@@ -86,12 +86,12 @@ copy of the source tarball as well.
 The Tornado source code is `hosted on GitHub
 <https://github.com/facebook/tornado>`_.
 
-**Prerequisites**: Tornado runs on Python 2.6, 2.7, 3.2, and 3.3.  On
-Python 2, the `backports.ssl_match_hostname
+**Prerequisites**: Tornado runs on Python 2.6, 2.7, 3.2, 3.3, and 3.4.  It
+requires the `certifi <https://pypi.python.org/pypi/certifi>`_ package
+on all Python versions, and the `backports.ssl_match_hostname
 <https://pypi.python.org/pypi/backports.ssl_match_hostname>`_ package
-must be installed (This will be installed automatically when using
-``pip`` or ``easy_install``); on Python 3 there are no strict
-dependencies outside the standard library.  Some Tornado features may
+on Python 2.  These will be installed automatically when using
+``pip`` or ``easy_install``).  Some Tornado features may
 require one of the following optional libraries:
 
 * `unittest2 <https://pypi.python.org/pypi/unittest2>`_ is needed to run

docs/releases/next.rst

@@ -11,6 +11,10 @@ Backwards-compatibility notes
   to `.IOLoop.add_handler` in this release.
 * `tornado.concurrent.Future` is no longer thread-safe; use
   `concurrent.futures.Future` when thread-safety is needed.
+* Tornado now depends on the `certifi <https://pypi.python.org/pypi/certifi>`_
+  package instead of bundling its own copy of the Mozilla CA list. This will
+  be installed automatically when using ``pip`` or ``easy_install``.
+
 
 `tornado.concurrent`
 ~~~~~~~~~~~~~~~~~~~~

maint/requirements.txt

@@ -2,6 +2,7 @@
 
 # Tornado's required dependencies
 backports.ssl-match-hostname==3.4.0.2
+certifi==1.0.1
 
 # Tornado's optional dependencies
 Twisted==13.2.0

setup.py

@@ -134,17 +134,19 @@ def build_extension(self, ext):
         # fall back to the pure-python implementation on any build failure.
         kwargs['cmdclass'] = {'build_ext': custom_build_ext}
 
+
 if setuptools is not None:
     # If setuptools is not available, you're on your own for dependencies.
+    install_requires = ['certifi']
     if sys.version_info < (3, 2):
-        kwargs['install_requires'] = ['backports.ssl_match_hostname']
+        install_requires.append('backports.ssl_match_hostname')
+    kwargs['install_requires'] = install_requires
 
 setup(
     name="tornado",
     version=version,
     packages = ["tornado", "tornado.test", "tornado.platform"],
     package_data = {
-        "tornado": ["ca-certificates.crt"],
         # data files need to be listed both here (which determines what gets
         # installed) and in MANIFEST.in (which determines what gets included
         # in the sdist tarball)

tornado/simple_httpclient.py

@@ -15,7 +15,6 @@
 import collections
 import copy
 import functools
-import os.path
 import re
 import socket
 import ssl
@@ -31,8 +30,16 @@
 except ImportError:
     import urllib.parse as urlparse  # py3
 
-_DEFAULT_CA_CERTS = os.path.dirname(__file__) + '/ca-certificates.crt'
+try:
+    import certifi
+except ImportError:
+    certifi = None
 
+def _default_ca_certs():
+    if certifi is None:
+        raise Exception("The 'certifi' package is required to use https "
+                        "in simple_httpclient")
+    return certifi.where()
 
 class SimpleAsyncHTTPClient(AsyncHTTPClient):
     """Non-blocking HTTP client with no external dependencies.
@@ -224,7 +231,7 @@ def _create_stream(self, addrinfo):
             if self.request.ca_certs is not None:
                 ssl_options["ca_certs"] = self.request.ca_certs
             else:
-                ssl_options["ca_certs"] = _DEFAULT_CA_CERTS
+                ssl_options["ca_certs"] = _default_ca_certs()
             if self.request.client_key is not None:
                 ssl_options["keyfile"] = self.request.client_key
             if self.request.client_cert is not None:

tornado/test/simple_httpclient_test.py

@@ -16,7 +16,7 @@
 from tornado.ioloop import IOLoop
 from tornado.log import gen_log
 from tornado.netutil import Resolver
-from tornado.simple_httpclient import SimpleAsyncHTTPClient, _DEFAULT_CA_CERTS
+from tornado.simple_httpclient import SimpleAsyncHTTPClient, _default_ca_certs
 from tornado.test.httpclient_test import ChunkHandler, CountdownHandler, HelloWorldHandler
 from tornado.test import httpclient_test
 from tornado.testing import AsyncHTTPTestCase, AsyncHTTPSTestCase, AsyncTestCase, bind_unused_port, ExpectLog
@@ -192,7 +192,7 @@ def test_redirect_connection_limit(self):
             response.rethrow()
 
     def test_default_certificates_exist(self):
-        open(_DEFAULT_CA_CERTS).close()
+        open(_default_ca_certs()).close()
 
     def test_gzip(self):
         # All the tests in this file should be using gzip, but this test