elixir-lang · josevalim · Apr 24, 2024 · Apr 22, 2024 · Apr 24, 2024 · Apr 24, 2024
diff --git a/lib/mix/lib/mix.ex b/lib/mix/lib/mix.ex
@@ -374,6 +374,14 @@ defmodule Mix do
   flags) should be set to either `1` or `true`, for example:
 
       $ MIX_DEBUG=1 mix compile
+
+  In addition, Mix also uses the following environment variables defined by other libraries
+
+    * `HEX_CACERTS_PATH` - use specified CA certificate file instead of default
+      system CA certificates. This configures how HTTPS calls are made via
+      [Erlang `ssl` module](https://www.erlang.org/doc/man/ssl#type-client_cafile)
+      to fetch remote archives and packages. For more details, see
+      [`mix hex.config`](https://hexdocs.pm/hex/Mix.Tasks.Hex.Config.html#module-config-keys).
   """
 
   @mix_install_project __MODULE__.InstallProject

diff --git a/lib/mix/lib/mix/utils.ex b/lib/mix/lib/mix/utils.ex
@@ -655,11 +655,21 @@ defmodule Mix.Utils do
     headers = [{~c"user-agent", ~c"Mix/#{System.version()}"}]
     request = {:binary.bin_to_list(path), headers}
 
+    # allow override of system CA certs to support running on managed networks
+    # using an SSL proxy etc. Piggy back on Hex defined environment variable
+    # rather than creating a new one, as these are almost always going to be
+    # set and used together.
+    cacert_opt =
+      case System.get_env("HEX_CACERTS_PATH") do
+        nil -> {:cacerts, :public_key.cacerts_get()}
+        file -> {:cacertfile, file}
+      end
+
     # Use the system certificates
     # TODO: use `ssl_options = :httpc.ssl_verify_host_options(true)` on Erlang/OTP 26+
     ssl_options = [
+      cacert_opt,
       verify: :verify_peer,
-      cacerts: :public_key.cacerts_get(),
       customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)]
     ]