use default server/host trusted cert store for SSL? #89

Closed
jrochkind opened this Issue Apr 30, 2012 · 4 comments

Comments

Projects
None yet
2 participants
Contributor

jrochkind commented Apr 30, 2012

HTTPClient by default, for deciding trust of ssl certs, uses a cacert file distro'd with httpclient, derived from Java JDK.

This is convenient, sometimes. But sometimes you want to do what most of httpclient's peers do -- use the standard default server-level trusted cert store.

HTTPClient::SSLConfig provides a whole bunch of options for dealing with cert stores; and ruby OpenSSL has a whole bunch of methods including, I think, methods for accessing the default server-level cert store.

So this may be quite easily possible already. But I can't quite put all the pieces together to figure out how to do it, I don't know enough about OpenSSL's API, I think.

Can anyone advise?

Owner

nahi commented May 6, 2012

This should work;

c = HTTPClient.new
c.ssl_config.clear_cert_store
c.ssl_config.cert_store.set_default_paths

I'll add a comment of SSLConfig.

Owner

nahi commented May 6, 2012

I'll add SSLConfig#set_default_paths for a shortcut.

c = HTTPClient.new
c.ssl_config.set_default_paths

should work from the next update.

@nahi nahi closed this in 7e83644 May 6, 2012

Contributor

jrochkind commented May 7, 2012

Thanks!

Myself, I don't think you need the new method/API, if you just document what you told me before, c.ssl_config.cert_store.set_default_paths. But either way, whatever you think best!

Is there an easy way to include both the cert package distro'd with HTTPClient and add the default cert store to it, instead of replacing it?

Owner

nahi commented May 8, 2012

I've already pushed 2.2.5 and it includes SSLConfig#set_default_paths :-)

No, there's not easy way to set both cert set from system and httpclient. Some CA issued multiple valid CA certificates from the same signing key and it could cause wacky certification failure when a X509CertStore includes those certificates at once. You should be refrain from mixing certificates sets if possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment