otp icon indicating copy to clipboard operation
otp copied to clipboard
verified publisher icon erlang

Load certificates from systems keychain on darwin

Open starbelly opened this issue 1 year ago • 3 comments

The systems root keychain contains well know root certificates, yet is non-modifiable. As such, internal CA certificates (both root and intermediate) tend to get installed into the systems keychain in the context of an private organization. Not loading certs from this keychain results in differing behavior from other tools (e.g., openssl, curl, etc.). This commit changes to that so that ssl in conjunction with public key just works in such environments.

Resolves #8813

starbelly avatar Sep 22 '24 14:09 starbelly

CT Test Results

  2 files   17 suites   5m 29s ⏱️ 285 tests 283 ✅ 2 💤 0 ❌ 301 runs  299 ✅ 2 💤 0 ❌

Results for commit e461e038.

:recycle: This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

github-actions[bot] avatar Sep 22 '24 14:09 github-actions[bot]

Note that a test in the appropriate test suite has not been added, I wasn't sure how that would play out since an import call would be needed a may require a password.

To manually test this one simply needs to install a certificate into the systems keychain, startup erl, then verify the presence of the installed cert via public_key:cacerts_get/0.

starbelly avatar Sep 22 '24 14:09 starbelly

Note that a test in the appropriate test suite has not been added, I wasn't sure how that would play out since an import call would be needed a may require a password.

To manually test this one simply needs to install a certificate into the systems keychain, startup erl, then verify the presence of the installed cert via public_key:cacerts_get/0.

Confirmed, this can not be easily tested in a suite.

starbelly avatar Sep 22 '24 15:09 starbelly

@starbelly ping

dgud avatar Nov 12 '24 13:11 dgud

@starbelly ping

Apologies, I'll look at this tomorrow. Work whisked me away 😄

starbelly avatar Nov 13 '24 00:11 starbelly

@dgud is OTP team ok with having a test that is only run when an environment variable is set? My thought here is if in a VM on github, we can import certs conditionally per an env var, this would solve the issue of not importing a cert on peoples machines when their running tests locally.

starbelly avatar Nov 14 '24 15:11 starbelly

Should we just skip it for now, we don't have any github action tests on Darwin now, and adding tests that are not used feels like a bad idea.

dgud avatar Nov 18 '24 09:11 dgud

Should we just skip it for now, we don't have any github action tests on Darwin now, and adding tests that are not used feels like a bad idea.

In this case I will adjust so that it doesn't result in a total failure if the systems keychain can not be read per your suggestion.

starbelly avatar Nov 22 '24 15:11 starbelly

Should we just skip it for now, we don't have any github action tests on Darwin now, and adding tests that are not used feels like a bad idea.

In this case I will adjust so that it doesn't result in a total failure if the systems keychain can not be read per your suggestion.

Done.

starbelly avatar Nov 22 '24 16:11 starbelly

Excited about this change! My company has a VPN cert that causes quite a few issues on our Macs so hopefully this will help.

What versions of OTP will this fix be in, now that its merged into the maint branch?

japhib avatar Jan 19 '25 15:01 japhib

@japhib Was released in 27.2

dgud avatar Jan 19 '25 16:01 dgud

Thanks!

japhib avatar Jan 19 '25 16:01 japhib