Respect OpenSSL default certificate store and SSL_CERT_FILE environment

[mikz]

OpenSSL provides default certificate file and directory in:

• OpenSSL::X509::DEFAULT_CERT_FILE
• OpenSSL::X509::DEFAULT_CERT_DIR

Those defaults can be loaded by OpenSSL::X509::Store#set_default_paths.

On platforms that do not have this set up properly HTTPClient::SSLContext#working_openssl_platform? can be made to return false and trigger the old behaviour.

Closes https://github.com/nahi/httpclient/issues/369

Also fixes failing build due to expired certificate in the test suite. New certificate will expire in 10 years.

[mumumu]

Also fixes failing build due to expired certificate in the test suite. New certificate will expire in 10 years.

:+1:

[PikachuEXE]

Will this be merged soon?

[febeling]

It would be interesting to be able to the use system or any OpenSSL CA with httpclient, still I don't think it's a good idea to change casually for such a widely used lib.

httpclient's policy was to bundle a CA, and that is well-documented. It might be the reason why some people use it. It's the same thing that Java does. It's also different from what net/http and most other ruby http clients do.

So adding an option might be fine, changing basic policies for this I'd warn against - at least without a major version bump.

[stanhu]

A few users of GitLab are running into this issue while trying to get OpenID working with a self-signed certificate. Could we get this branch merged and released?