Fix CA configuration by SSL_CERT_DIR #402
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Note there is an alternative PR for this bug in #386. |
|
Test failures are unrelated to this change. The above mentioned PR states that test failures of master are due to expired fixture certificates. I'll keep this change deliberately narrow, only fixing the problem at hand. |
febeling
changed the title
febeling
changed the title
|
@nahi Any thoughts on this fix? |
The environment variable `SSL_CERT_DIR` is documented to configure an alternative trust CA, but that wasn't used before; fixed.
febeling
force-pushed
the
fix_ca_config_by_env_var
branch
from
86fcb4f
to
fed578a
Compare
|
bump, would be good to get this in as it affects other gems, such as OpenIDConnect when attempting to perform discovery |
tigefa4u
pushed a commit
to tigefa4u/gitlabhq
that referenced
this pull request
Jul 15, 2019
By default, httpclient (and hence anything that uses rack-oauth2) ignores the system-wide SSL certificate configuration in favor of its own `cacert.pem`. This makes it impossible to use custom certificates without patching that file. Until nahi/httpclient#402 is merged, we work around this limitation by forcing the `HTTPClient` SSL store to use the default system configuration. Closes https://gitlab.com/charts/gitlab/issues/1436
|
@nahi Please let me know if I can close, or if there's interest. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The environment variable
SSL_CERT_DIRis documented to configure analternative trust CA.
This expected behavior is documented in the SSLConfig module here. It doesn't take effect, though. When searching the library's code for
SSL_CERT_DIRit doesn't occur.This setting is important in cases when a user wants to use a debug proxy, the connection is encrypted, and the client code doesn't use
httpclientdirectly, but through third-party API SDKs, e.g. thegoogle-cloud-storagegem.Fixes #369