Skip to content
This repository

use default server/host trusted cert store for SSL? #89

Closed
jrochkind opened this Issue April 30, 2012 · 4 comments

2 participants

Jonathan Rochkind Hiroshi Nakamura
Jonathan Rochkind

HTTPClient by default, for deciding trust of ssl certs, uses a cacert file distro'd with httpclient, derived from Java JDK.

This is convenient, sometimes. But sometimes you want to do what most of httpclient's peers do -- use the standard default server-level trusted cert store.

HTTPClient::SSLConfig provides a whole bunch of options for dealing with cert stores; and ruby OpenSSL has a whole bunch of methods including, I think, methods for accessing the default server-level cert store.

So this may be quite easily possible already. But I can't quite put all the pieces together to figure out how to do it, I don't know enough about OpenSSL's API, I think.

Can anyone advise?

Hiroshi Nakamura
Owner
nahi commented May 05, 2012

This should work;

c = HTTPClient.new
c.ssl_config.clear_cert_store
c.ssl_config.cert_store.set_default_paths

I'll add a comment of SSLConfig.

Hiroshi Nakamura
Owner
nahi commented May 05, 2012

I'll add SSLConfig#set_default_paths for a shortcut.

c = HTTPClient.new
c.ssl_config.set_default_paths

should work from the next update.

Hiroshi Nakamura nahi closed this issue from a commit May 06, 2012
Hiroshi Nakamura Add HTTPClient::SSLConfig#set_default_paths
Make HTTPClient instance to use OpenSSL's default trusted CA
certificates.  Close #89.
7e83644
Hiroshi Nakamura nahi closed this in 7e83644 May 05, 2012
Jonathan Rochkind

Thanks!

Myself, I don't think you need the new method/API, if you just document what you told me before, c.ssl_config.cert_store.set_default_paths. But either way, whatever you think best!

Is there an easy way to include both the cert package distro'd with HTTPClient and add the default cert store to it, instead of replacing it?

Hiroshi Nakamura
Owner
nahi commented May 08, 2012

I've already pushed 2.2.5 and it includes SSLConfig#set_default_paths :-)

No, there's not easy way to set both cert set from system and httpclient. Some CA issued multiple valid CA certificates from the same signing key and it could cause wacky certification failure when a X509CertStore includes those certificates at once. You should be refrain from mixing certificates sets if possible.

Dan Wanek zenchild referenced this issue from a commit May 06, 2012
Hiroshi Nakamura Add HTTPClient::SSLConfig#set_default_paths
Make HTTPClient instance to use OpenSSL's default trusted CA
certificates.  Close #89.
0e8029f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.