finch icon indicating copy to clipboard operation
finch copied to clipboard

Published 20 hours ago verified publisher icon sneako

Use built-in cacerts

Open wojtekmach opened this issue 3 years ago • 3 comments
trafficstars

The OTP team is working on exciting new capability and that's using the system provided certs store: https://github.com/erlang/otp/pull/5853. When that ships, I believe Finch would no longer have to depend on the castore package and instead make it opt-in.

Perhaps it would make sense to have something like this in Finch:

default_ssl_opts =
  cond do
    Code.ensure_loaded?(:public_key) and function_exported?(:public_key, :cacerts_get, 0) ->
      [cacerts: :public_key.cacerts_get()]
    
    Code.ensure_loaded?(CAStore) ->
      [cacertfile: CAStore.file_path()] 

    true ->
      raise "some good error message"
  end

We'd still need logic like: if either cacerts or cacertfile is passed to Finch, that takes the precedence. Perhaps some of this logic would make sense in Mint instead.

cc @ericmj

wojtekmach avatar Apr 10 '22 15:04 wojtekmach

Is Finch setting its own SSL options? If not, it would be preferable to do this in Mint.

ericmj avatar Apr 10 '22 18:04 ericmj

Finch is not setting SSL options. I thought that by dropping the castore dependency in Finch we'd have to gracefully handle it in Finch. But I just noticed that if Mint SSL transport is not given cacerts/cacertfile options and CAStore is not available, it raises a good error message. So yeah, I think Mint it is. Thanks!

wojtekmach avatar Apr 10 '22 18:04 wojtekmach

Finch would need to remove or make the castore dependency optional though so some minor changes are needed here as well.

ericmj avatar Apr 10 '22 19:04 ericmj