Skip to content

Always use system certificates #13052

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 1, 2023
Merged

Always use system certificates #13052

merged 3 commits into from
Nov 1, 2023

Conversation

sabiwara
Copy link
Contributor

@sabiwara sabiwara commented Nov 1, 2023
edited
Loading

Relates to #11220

Hope I didn't misunderstood "Use new system certificates" and the TODO, feel free to close if that's the case.

Note: :httpc.ssl_verify_host_options/1 is available from 25.1, which would imply 1.17 compatibility is from OTP 25.1, not 25 (is this a showstopper?).

@josevalim
Copy link
Member

The implementation of the function is small, so we can inline it:

ssl_verify_host_options(WildcardHostName) ->
    WildCard = case WildcardHostName of
                   true ->
                       Fun = public_key:pkix_verify_hostname_match_fun(https),
                       [{customize_hostname_check,[{match_fun, Fun}]}];
                   false ->
                       []
               end,
    [{verify, verify_peer}, {cacerts, public_key:cacerts_get()} | WildCard].

And then we leave a note to use :httpc.ssl_verify_host_options in OTP 26+.

@sabiwara
Copy link
Contributor Author

sabiwara commented Nov 1, 2023

The implementation of the function is small, so we can inline it:

ssl_verify_host_options(WildcardHostName) ->
    WildCard = case WildcardHostName of
                   true ->
                       Fun = public_key:pkix_verify_hostname_match_fun(https),
                       [{customize_hostname_check,[{match_fun, Fun}]}];
                   false ->
                       []
               end,
    [{verify, verify_peer}, {cacerts, public_key:cacerts_get()} | WildCard].

And then we leave a note to use :httpc.ssl_verify_host_options in OTP 26+.

Brilliant! Will do!

@sabiwara sabiwara force-pushed the always_check_cert branch 2 times, most recently from c88c0f8 to ed9fcd9 Compare November 1, 2023 10:15
sabiwara
sabiwara commented Nov 1, 2023
View reviewed changes
lib/mix/lib/mix/utils.ex
Comment on lines +662 to +666
ssl_options = [
verify: :verify_peer,
cacerts: :public_key.cacerts_get(),
customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)]
]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Original for comparison:

ssl_verify_host_options(WildcardHostName) ->
    WildCard = case WildcardHostName of
                   true ->
                       Fun = public_key:pkix_verify_hostname_match_fun(https),
                       [{customize_hostname_check,[{match_fun, Fun}]}];
                   false ->
                       []
               end,
    [{verify, verify_peer}, {cacerts, public_key:cacerts_get()} | WildCard].

josevalim
josevalim reviewed Nov 1, 2023
View reviewed changes
@sabiwara sabiwara merged commit 20c5a18 into elixir-lang:main Nov 1, 2023
@sabiwara sabiwara deleted the always_check_cert branch November 1, 2023 10:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@josevalim josevalim josevalim approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sabiwara @josevalim