otp icon indicating copy to clipboard operation
otp copied to clipboard
verified publisher icon erlang

Allow setting certificates via application config

Open josevalim opened this issue 1 year ago • 5 comments

This pull request allows setting a custom location for certificates via the application config.

Currently we are seeing a proliferation of env vars for reading certificates from in the Elixir community. Here are some examples:

  • https://github.com/hexpm/hex/blob/eec7a266f6e1b1c754798ee9a9c17b4b6201fff2/lib/hex/state.ex#L111
  • https://github.com/elixir-lang/elixir_make/blob/67ef8c1e249d1562fee9247320a602908f0094c6/lib/elixir_make/downloader/httpc.ex#L53
  • https://github.com/elixir-nx/bumblebee/blob/b01e0da989a39b594990f8023bebb3751663fb19/lib/bumblebee/utils/http.ex#L191

This means anyone using Elixir/Erlang behind a proxy needs to setup several env vars, carefully reading the docs of each package that may do external HTTP requests.

For this reason, I believe a solution upstream in Erlang itself would be better, as it would avoid the same issue (of several multiple env vars or application config) happening in both Erlang and Elixir packages, escripts, etc.

I understand it is possible to call public_key:cacerts_load/1 but I don't believe it fully solves the problem:

  1. If we leave it up for each package to call public_key:cacerts_load/1, then we land in the same problem described here, but even worse, as one package would globally override the defaults of others

  2. If we leave it up for users of the packages to call it, then it means they need to add logic to each of their applications and packages that they use. And doing so for escripts is even harder.

This is a follow up to #8874.

josevalim avatar Oct 09 '24 11:10 josevalim

CT Test Results

  2 files   17 suites   5m 55s :stopwatch: 284 tests 282 :white_check_mark: 2 :zzz: 0 :x: 300 runs  298 :white_check_mark: 2 :zzz: 0 :x:

Results for commit 13d6a352.

:recycle: This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

github-actions[bot] avatar Oct 09 '24 11:10 github-actions[bot]

Can you add one testcase for regression testing at least.

dgud avatar Oct 16 '24 11:10 dgud

I have augmented the existing tests!

josevalim avatar Oct 18 '24 21:10 josevalim

Can you rebase this to maint so I can include it in 27.2?

dgud avatar Oct 23 '24 13:10 dgud

@dgud done!

josevalim avatar Oct 23 '24 14:10 josevalim