Fix regression: the new default SNI client doesn't support :insecure? req option
#528
Comments
|
Quick thought: while I'm not sure off-hand what the prior/usual semantics of an "insecure" option are meant to be, one option that could be worth considering is just reverting back to the old (pre-SNI) client when Something like that might be a reasonable + easy stop-gap that'd help us at least restore the previous functionality without too much delay? Again, would need to be investigated a bit. From digging through past issues, it looks like the original If no one else is available to assist, I'll try take a look at this myself the next time I'm doing batched work on http-kit. |
From my understanding, it looks like the purpose of this ~undocumented option was to allow the client to connect to untrusted SSL certificates. I'm not familiar with how this would normally be accomplished, am short on time, and no one else has volunteered to tackle the issue - so am just trying something simple here which is to revert to the legacy (non-SNI) client when `:insecure?` is true. This fixes the pre-existing tests, and allows the client to be used with at least basic self-signed certificates, etc. Input and/or PRs welcome if anyone has a suggestion for a better way of doing this.
|
This has been (at least partially) addressed in v2.8.0-beta1. The previous tests have been reinstated, and The remaining question is if there'd be any benefit for |
Context
http-kit 2.3.0 added an optional SNI-capable client for Client feature request: add SNI support #187.
http-kit 2.7.0 switched to using this client by default for SNI support to be enabled by default? #393.
The switch broke some client unit tests, prompting the creation of Update "insecure" client tests for SNI client #519.
Since the broken tests seemed to rely on an undocumented
:insecure?flag, and since there'd been no reports of issues in a couple months of pre-release usage - I concluded that the flag was likely vestigial and Update "insecure" client tests for SNI client #519 need not hold up the release of 2.7.0.Unfortunately it seems I was mistaken, and there was at least one public mention of the
:insecure?flag in the past - meaning that some users may already depend on the feature.At least one user was unfortunately affected.
Options
First up, I'll add a warning now to the current release notes that the client
:insecure?feature is likely broken with the default2.7.0client.Beyond that, we'll need to decide if we want to retain support for
:insecure?or not.If yes:
If no:
Input welcome, I'm not too familiar off-hand with the purpose of this flag - and am occupied on some other topics atm.
The text was updated successfully, but these errors were encountered: