From ad44ccd817dbd6aa0949c19381ac56841919afc7 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Wed, 19 Jul 2017 21:34:01 +0200
Subject: document set_default_verify_paths caveats (#667)

* document set_default_verify_paths caveats

fixes #642

* add a bit more detail

* weasel words
---
 doc/api/ssl.rst | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/doc/api/ssl.rst b/doc/api/ssl.rst
index 00cae9b..53bcf40 100644
--- a/doc/api/ssl.rst
+++ b/doc/api/ssl.rst
@@ -307,8 +307,15 @@ Context objects have the following methods:
 .. py:method:: Context.set_default_verify_paths()
 
     Specify that the platform provided CA certificates are to be used for
-    verification purposes.  This method may not work properly on OS X.
-
+    verification purposes. This method has some caveats related to the
+    binary wheels that cryptography (pyOpenSSL's primary dependency) ships:
+
+    * macOS will only load certificates using this method if the user has
+      the ``openssl@1.1`` Homebrew formula installed in the default location.
+    * Windows will not work.
+    * manylinux1 cryptography wheels will work on most common Linux distributions
+      in pyOpenSSL 17.1.0 and above.  pyOpenSSL detects the manylinux1 wheel and
+      attempts to load roots via a fallback path.
 
 .. py:method:: Context.load_tmp_dh(dhfile)
 
-- 
cgit v1.2.1