Use system wide CA cert store by default. #187

Closed
wants to merge 1 commit into
from

5 participants

@jgraichen

Not using the system wide CA cert store as the default cert store makes it impossible to use a different list of CA certs when not using httpclient directly but through a third-party library.

It also leads to unexpected errors as most software will work except httpclient when e.g. you have imported your own internal CA certificates into the system wide CA certificate chain. Additional you profit from security updates for CA certificates provided by the operation system vendor/community.

This PR changes the SSLContext setup to use the default system wide CA certs instead of the bundled ones if nothing else was configured.

A workaround is calling http_client.ssl_config.set_default_paths but that again is not possible if you're not using httpclient directly but by a third-party application or library.

@jgraichen jgraichen Use system wide CA cert store by default.
Not using the system wide CA cert store as the default cert store
makes it impossible to use a different list of CA certs when not
using httpclient directly but through a third-party library.
171a20e
@buildhive

Hiroshi Nakamura » httpclient #100 SUCCESS
This pull request looks good
(what's this?)

@konklone

👍

It's very confusing to be using a Ruby library that is based on httpclient, and to have it fail on a valid certificate on the Internet without explanation.

@Juanmcuello

@nahi , any update on this?

I'm having the same problem, I'm using a third-party library that uses httpclient to connect to a server with an SSL cert provided by StartSSL. Using system wide CA certs would solve my problem.

Any chance to merge this? Otherwise, would you accept a PR that adds StartSSL to bundled ca certs?

@glebtv glebtv added a commit to glebtv/httpclient that referenced this pull request Feb 2, 2014
@glebtv glebtv use system CA files by default - see nahi#187 5c14958
@nahi
Owner

Sorry for long silence.

Setting certs by httpclient itself is ugly and it's also attractive because I can be free from updating cacert.p7s. Can anyone share states of bundled OpenSSL configuration? Rubies with custom built openssl would cause troubles...

@nahi
Owner

Still there are many Ruby developers who uses custom build openssl (like on rbenv) so just setting default path is not a good choice. I close this but feel free to reopen if there's other solution.

@nahi nahi closed this Nov 3, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment