Add explicit :verify_none for httpc

[moogle19]

OTP26-rc2 changed the default behaviour of the http client from :verify_none to :verify_peer which results in following error when trying to install hex:

Mix requires the Hex package manager to fetch dependencies
Shall I install Hex? (if running non-interactively, use "mix local.hex --force") [Yn] 
** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:verify, {:missing_dep_cacertfile_or_cacerts}}}}]}

This PR fixes this, by explicitly defining :verify_none.

[josevalim]

OTP 25 includes the system certificates as part of their distribution, so maybe we should use that instead?

[moogle19]

Thought about that too, but doesn't Elixir 1.15 have OTP 24 as lowest compatible version?

Or should we add a :erlang.function_exported/3 check and use the system certificates if the function is available?

[moogle19]

A little off-topic, but running :public_key.cacerts_get/0 in iex when using OTP 26.0 is oddly slow (takes ~10s for me).
erl with OTP 26 and iex with OTP 25 are instant.

[josevalim]

Or should we add a :erlang.function_exported/3 check and use the system certificates if the function is available?

Let's do this.

A little off-topic, but running :public_key.cacerts_get/0 in iex when using OTP 26.0 is oddly slow (takes ~10s for me).
erl with OTP 26 and iex with OTP 25 are instant.

I will investigate.

[josevalim]

@moogle19 isolated here: erlang/otp#7040

[moogle19]

What should happen if the system has no certificates?
cacerts_get/0 says:

The function fails if no cacerts could be loaded.

Should we let it fail or also use :verify_none in that case?

[josevalim]

@moogle19 let's emit a warning and fallback to verify none!

[josevalim]

Wrong button, sorry!

[josevalim]

Hi @moogle19, please let me know if you want to do further refinements or if we should do it. My plan is to release a new v1.14 soon that works on 26 RC for those who want to try it out. :)

[moogle19]

@josevalim
Sorry, didn't find the time to finish it yesterday.
I just added the warning, when the system certificates could not be loaded.

[josevalim]

No need to be sorry, your contributions are very appreciated. :)

[josevalim]

💚 💙 💜 💛 ❤️

[lhoguin]

Hello! This is not enough. If you are going to verify the peer certificate, you also need to set the customize_hostname_check option with what public_key:pkix_verify_hostname_match_fun(https) returns. Otherwise certificates with wildcards will fail to match (like *.github.io or *.githubusercontent.com).

[lhoguin]

Alternatively there is an httpc:ssl_verify_host_options(true) function that does both cacerts, customize_hostname_check and maybe a few more.

[josevalim]

@lhoguin thank you, i will investigate. ❤️

[lhoguin]

@josevalim Would you like me to open a new ticket so this doesn't get forgotten?

[josevalim]

No need, i pushed to main already but forgot to follow up: 6f58a36

[lhoguin]

Great, thanks. I will forward this info to the relevant developer so we can confirm it all works for us.

[lhoguin]

That appears to solve all our Mix/Elixir related issues. Thanks!