CURL_CA_BUNDLE= disables certificate verification

I'm not the first to notice this, see:
 
 https://stackoverflow.com/questions/48391750/disable-python-requests-ssl-validation-for-an-imported-module

Which implies people have even relied on the current behavior as a hack ... but I think it's pretty clear that the current behavior is an accidental bug, which should be fixed (for requests 3?)

Vaguely related to #3829

## Expected Result

An empty-string CURL_CA_BUNDLE should use default system verification, the same way as:

 * An unset CURL_CA_BUNDLE
 * An empty-string or unset REQUESTS_CA_BUNDLE
 * Behavior of curl/libcurl with an empty-string or unset CURL_CA_BUNDLE

## Actual Result

Empty CURL_CA_BUNDLE disables certificate verification

## Reproduction Steps

 * Set CURL_CA_BUNDLE to an empty value, try to fetch a self-signed or invalid HTTPS endpoint => success

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CURL_CA_BUNDLE= disables certificate verification #6071

Expected Result

Actual Result

Reproduction Steps

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

CURL_CA_BUNDLE= disables certificate verification #6071

Description

Expected Result

Actual Result

Reproduction Steps

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions