Not using the system wide CA cert store as the default cert store makes it impossible to use a different list of CA certs when not using httpclient directly but through a third-party library.
It also leads to unexpected errors as most software will work except httpclient when e.g. you have imported your own internal CA certificates into the system wide CA certificate chain. Additional you profit from security updates for CA certificates provided by the operation system vendor/community.
This PR changes the SSLContext setup to use the default system wide CA certs instead of the bundled ones if nothing else was configured.
A workaround is calling http_client.ssl_config.set_default_paths but that again is not possible if you're not using httpclient directly but by a third-party application or library.
Use system wide CA cert store by default.
Not using the system wide CA cert store as the default cert store
makes it impossible to use a different list of CA certs when not
using httpclient directly but through a third-party library.
Hiroshi Nakamura » httpclient #100 SUCCESS
This pull request looks good
It's very confusing to be using a Ruby library that is based on httpclient, and to have it fail on a valid certificate on the Internet without explanation.
@nahi , any update on this?
I'm having the same problem, I'm using a third-party library that uses httpclient to connect to a server with an SSL cert provided by StartSSL. Using system wide CA certs would solve my problem.
Any chance to merge this? Otherwise, would you accept a PR that adds StartSSL to bundled ca certs?
use system CA files by default - see nahi#187
Sorry for long silence.
Setting certs by httpclient itself is ugly and it's also attractive because I can be free from updating cacert.p7s. Can anyone share states of bundled OpenSSL configuration? Rubies with custom built openssl would cause troubles...
Still there are many Ruby developers who uses custom build openssl (like on rbenv) so just setting default path is not a good choice. I close this but feel free to reopen if there's other solution.