From 71abaed1f5221f01f28f906aae87bbe403fd5a73 Mon Sep 17 00:00:00 2001
From: Avdi Grimm <avdi@avdi.org>
Date: Sun, 29 Nov 2009 13:19:47 -0500
Subject: [PATCH] Added two alternative sources for CA file:  1. Fallback to
 /etc/ssl/certs/ca-certificates.crt (found on Debian/Ubuntu)  2. Override
 parameter with RIGHT_HTTP_CA_FILE env var.

---
 lib/right_http_connection.rb | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/lib/right_http_connection.rb b/lib/right_http_connection.rb
index a3455e9..224defe 100644
--- a/lib/right_http_connection.rb
+++ b/lib/right_http_connection.rb
@@ -86,6 +86,10 @@ class HttpConnection
     # Length of the post-error probationary period during which all requests will fail
     HTTP_CONNECTION_RETRY_DELAY   = 15
 
+    # Location of the system CA certificates file on Debian/Ubuntu systems, as
+    # generated by the ca-certificates package.
+    DEBIAN_CA_FILE = '/etc/ssl/certs/ca-certificates.crt'
+
     #--------------------
     # class methods
     #--------------------
@@ -99,7 +103,18 @@ class HttpConnection
     # Query the global (class-level) parameters:
     #
     #  :user_agent => 'www.HostName.com'    # String to report as HTTP User agent
-    #  :ca_file    => 'path_to_file'        # Path to a CA certification file in PEM format. The file can contain several CA certificates.  If this parameter isn't set, HTTPS certs won't be verified.
+    #  :ca_file    => 'path_to_file'        # Path to a CA certification file in
+    #                                       # PEM format. The file can contain
+    #                                       # several CA certificates.  If this
+    #                                       # parameter isn't set,
+    #                                       # HttpConnection will check for a
+    #                                       # system CA file.  If no CA file is
+    #                                       # found, HTTPS certs won't be
+    #                                       # verified.
+    #                                       #
+    #                                       # This parameter may be overridden
+    #                                       # with the RIGHT_HTTP_CA_FILE
+    #                                       # environment variable.
     #  :logger     => Logger object         # If omitted, HttpConnection logs to STDOUT
     #  :exception  => Exception to raise    # The type of exception to raise
     #                                       # if a request repeatedly fails. RuntimeError is raised if this parameter is omitted.
@@ -301,7 +316,7 @@ def start(request_params)
           true
         }
         @http.use_ssl = true
-        ca_file = get_param(:ca_file)
+        ca_file = get_ca_file
         if ca_file
           @http.verify_mode     = OpenSSL::SSL::VERIFY_PEER
           @http.verify_callback = verifyCallbackProc
@@ -425,6 +440,23 @@ def finish(reason = '')
       end
     end
 
+    def get_ca_file
+      get_ca_file_from_env || get_param(:ca_file) || get_system_ca_file
+    end
+
+    def get_ca_file_from_env
+      ENV['RIGHT_HTTP_CA_FILE']
+    end
+
+    def get_system_ca_file
+      system_ca_file = DEBIAN_CA_FILE
+      if File.readable?(system_ca_file)
+        system_ca_file
+      else
+        nil
+      end
+    end
+
   # Errors received during testing:
   #
   #  #<Timeout::Error: execution expired>