Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

use default server/host trusted cert store for SSL? #89

Closed
jrochkind opened this Issue · 4 comments

2 participants

@jrochkind

HTTPClient by default, for deciding trust of ssl certs, uses a cacert file distro'd with httpclient, derived from Java JDK.

This is convenient, sometimes. But sometimes you want to do what most of httpclient's peers do -- use the standard default server-level trusted cert store.

HTTPClient::SSLConfig provides a whole bunch of options for dealing with cert stores; and ruby OpenSSL has a whole bunch of methods including, I think, methods for accessing the default server-level cert store.

So this may be quite easily possible already. But I can't quite put all the pieces together to figure out how to do it, I don't know enough about OpenSSL's API, I think.

Can anyone advise?

@nahi
Owner

This should work;

c = HTTPClient.new
c.ssl_config.clear_cert_store
c.ssl_config.cert_store.set_default_paths

I'll add a comment of SSLConfig.

@nahi
Owner

I'll add SSLConfig#set_default_paths for a shortcut.

c = HTTPClient.new
c.ssl_config.set_default_paths

should work from the next update.

@nahi nahi closed this issue from a commit
@nahi Add HTTPClient::SSLConfig#set_default_paths
Make HTTPClient instance to use OpenSSL's default trusted CA
certificates.  Close #89.
7e83644
@nahi nahi closed this in 7e83644
@jrochkind

Thanks!

Myself, I don't think you need the new method/API, if you just document what you told me before, c.ssl_config.cert_store.set_default_paths. But either way, whatever you think best!

Is there an easy way to include both the cert package distro'd with HTTPClient and add the default cert store to it, instead of replacing it?

@nahi
Owner

I've already pushed 2.2.5 and it includes SSLConfig#set_default_paths :-)

No, there's not easy way to set both cert set from system and httpclient. Some CA issued multiple valid CA certificates from the same signing key and it could cause wacky certification failure when a X509CertStore includes those certificates at once. You should be refrain from mixing certificates sets if possible.

@zenchild zenchild referenced this issue from a commit
@nahi Add HTTPClient::SSLConfig#set_default_paths
Make HTTPClient instance to use OpenSSL's default trusted CA
certificates.  Close #89.
0e8029f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.