erlang: support OTP 29 and HTTP/3 server verification#856
Merged
Conversation
Replace the deprecated catch expression with try across the codebase so hackney compiles cleanly on OTP 29, reusing small stop/close helpers instead of repeating the wrapper. Wire hackney's TLS options through to the QUIC connection so HTTP/3 honors the request's insecure option and uses certifi as the default trust store, matching the HTTPS path, now that quic 1.4.4 verifies the server certificate by default. Add OTP 29 to the CI matrix.
0.6.1 replaces the deprecated catch form, so the dependency builds on OTP 29 without warnings_as_errors failing.
Drop the now-unreachable catch-all in getbyname (try cannot yield the
{'EXIT', _} the old catch did) and have the trace safe/1 helper return
ok so its result is not an unmatched union.
rebar3 3.24.0 does not run on OTP 29, so setup-beam failed on the new OTP 29 job. 3.25.0 supports OTP 27, 28 and 29.
Passing certifi's full cacerts list to the QUIC client stalled the handshake and made HTTP/3 connections time out and fall back to TCP. h3_tls_opts now only maps the insecure option and otherwise lets quic apply its default verification, which already works.
Pass cacerts/cacertfile from ssl_options through to the QUIC connection so HTTP/3 can use a custom trust store, while the default remains quic's own trust store. Forcing certifi by default broke validation; this only overrides the store when the caller explicitly configures one.
quic 1.4.4 verifies the server certificate by default, which needs an OS trust store. The FreeBSD VM had none, so HTTP/3 tests against external servers failed; ca_root_nss provides the CA bundle.
1.4.5 fixes verify_chain to handle servers that send extra or cross-signed certs above the anchored intermediate, so HTTP/3 verification works against certifi and the FreeBSD NSS trust store.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Supersedes #855 (auto-closed when #854's branch was deleted).
quic 1.4.4 verifies the server certificate by default. hackney now passes its TLS options through to the QUIC connection so HTTP/3 honors the request's
insecureoption and CA configuration, defaulting to the certifi trust store like the HTTPS path.Also replaces the deprecated
catch Exprform withtry ... catchso hackney compiles cleanly on OTP 29, bumps h2 to 0.6.1 (which carries the same fix), and adds OTP 29 to the CI matrix.