[httpc] Do not read OS cacerts if `verify_none` #7303

maennchen · 2023-05-25T12:00:35Z

Describe the bug

When suplying {ssl, [{verify, verify_none}]} to http, it still calls public_key:cacerts/0 internally. If there are no OS cacerts present on the machine, httpc will crash even though no certs were actually required.

To Reproduce

inets:start(),
ssl:start(),
Response = httpc:request(get, {\"https://google.com\", []}, [{ssl,[{verify, verify_none}]}], []),
erlang:display(Response).

** exception error: no match of right hand side value {error,enoent}
     in function  pubkey_os_cacerts:get/0 (pubkey_os_cacerts.erl, line 38)
     in call from httpc:ssl_verify_host_options/1 (httpc.erl, line 476)
     in call from httpc:http_options_default/0 (httpc.erl, line 1012)
     in call from httpc:http_options/1 (httpc.erl, line 927)
     in call from httpc:handle_request/9 (httpc.erl, line 771)

Expected behavior

No Error

Affected versions

>= 26.0

Additional context

Follow up of [public_key] Dedicated error on missing cacerts file #7295 (comment)

The text was updated successfully, but these errors were encountered:

Avoids crash when using verify_none and the OS does not have a CA cert bundle

Erlang's httpc now looks for CA certifications in the normal system location even with `:verify_none`. It looks like the `:verify_none` issue will be fixed in [PR 7303](erlang/otp#7303), but it seems useful to have a good set of certs there for httpc users.

…into maint

Erlang's httpc now looks for CA certifications in the normal system location even with `:verify_none`. It looks like the `:verify_none` issue will be fixed in [PR 7303](erlang/otp#7303), but it seems useful to have a good set of certs there for httpc users.

…into maint-26 * dgud/inets/lazy-ssl-options/GH-7303/PR-7306/OTP-18604: Calculate httpc efault ssl options on demand (#7303)

maennchen added the bug Issue is reported as a bug label May 25, 2023

maennchen mentioned this issue May 25, 2023

[public_key] Dedicated error on missing cacerts file #7295

Closed

maennchen added a commit to maennchen/otp that referenced this issue May 25, 2023

Calculate httpc efault ssl options on demand (erlang#7303)

dbd4542

Avoids crash when using verify_none and the OS does not have a CA cert bundle

maennchen mentioned this issue May 25, 2023

[httpc] calculate default ssl options on demand #7306

Merged

IngelaAndin added the team:PS Assigned to OTP team PS label May 26, 2023

maennchen added a commit to maennchen/otp that referenced this issue May 26, 2023

Calculate httpc efault ssl options on demand (erlang#7303)

491793e

Avoids crash when using verify_none and the OS does not have a CA cert bundle

maennchen added a commit to maennchen/otp that referenced this issue May 26, 2023

Calculate httpc efault ssl options on demand (erlang#7303)

c15eb45

Avoids crash when using verify_none and the OS does not have a CA cert bundle

dgud added a commit that referenced this issue May 29, 2023

Merge branch 'dgud/inets/lazy-ssl-options/GH-7303/PR-7306/OTP-18604' …

b7463e8

…into maint

dgud closed this as completed May 29, 2023

rickard-green pushed a commit that referenced this issue Jun 8, 2023

Merge branch 'dgud/inets/lazy-ssl-options/GH-7303/PR-7306/OTP-18604' …

3934f82

…into maint-26 * dgud/inets/lazy-ssl-options/GH-7303/PR-7306/OTP-18604: Calculate httpc efault ssl options on demand (#7303)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[httpc] Do not read OS cacerts if `verify_none` #7303

[httpc] Do not read OS cacerts if `verify_none` #7303

maennchen commented May 25, 2023

[httpc] Do not read OS cacerts if verify_none #7303

[httpc] Do not read OS cacerts if verify_none #7303

Comments

maennchen commented May 25, 2023

[httpc] Do not read OS cacerts if `verify_none` #7303

[httpc] Do not read OS cacerts if `verify_none` #7303