httpclient
httpclient copied to clipboard
nahi
SSL_CERT_FILE environment variable is not honoured
OpenSSL says SSL_CERT_FILE and SSL_CERT_DIR environment variables can be used to set default location for certificate fails. HTTPClient ignores this setting.
Net::HTTP respects that setting.
$ ruby -rnet/http -e "Net::HTTP.get URI('https://example.com/')"
$ echo $?
0
$ SSL_CERT_FILE=/etc/foo ruby -rnet/http -e "Net::HTTP.get URI('https://example.com/')"
ruby-2.3.1/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError)
HTTPClient does not.
$ ruby -rhttpclient -e "HTTPClient.new.get_content('https://example.com/')"
$ echo $?
0
$ SSL_CERT_FILE=/etc/foo ruby -rhttpclient -e "HTTPClient.new.get_content('https://example.com/')"
$ echo $?
0
There is no system-wide way of configuring HTTPClient to use default system store and has to be initialised on per instance basis as described in https://github.com/nahi/httpclient/issues/335.
Also, the bundle cacert.pem is almost 2 years old missing several important updates.
I think HTTPClient should not default to own bundled CA certificates if system provides that. That might be broken on Windows, but this breaks it on every other UNIX platform.
Preliminary patch https://github.com/mikz/httpclient/commit/329824633ec9479dddea765d561ca4b3dbc3ceb3
In case somebody spent last 3 hours tracing SSL errors down to this issue, here is workaround which works for me:
for x in ./lib/ruby/gems/*/gems/**/cacert.pem; do rm $x; ln -s /etc/ssl/certs/ca-certificates.crt $x; done
We are running with https://github.com/nahi/httpclient/compare/master...mikz:ssl-env-cert and it works just fine. And set the SSL_CERT_DIR or SSL_CERT_FILE env variable.
That is just a terrible workaround and would be way better for httpclient to use OpenSSL cert store it was compiled with.
