Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
use default server/host trusted cert store for SSL? #89
HTTPClient by default, for deciding trust of ssl certs, uses a cacert file distro'd with httpclient, derived from Java JDK.
This is convenient, sometimes. But sometimes you want to do what most of httpclient's peers do -- use the standard default server-level trusted cert store.
HTTPClient::SSLConfig provides a whole bunch of options for dealing with cert stores; and ruby OpenSSL has a whole bunch of methods including, I think, methods for accessing the default server-level cert store.
So this may be quite easily possible already. But I can't quite put all the pieces together to figure out how to do it, I don't know enough about OpenSSL's API, I think.
Can anyone advise?
Myself, I don't think you need the new method/API, if you just document what you told me before,
Is there an easy way to include both the cert package distro'd with HTTPClient and add the default cert store to it, instead of replacing it?
I've already pushed 2.2.5 and it includes SSLConfig#set_default_paths :-)
No, there's not easy way to set both cert set from system and httpclient. Some CA issued multiple valid CA certificates from the same signing key and it could cause wacky certification failure when a X509CertStore includes those certificates at once. You should be refrain from mixing certificates sets if possible.