Closed wojtekmach closed 2 years ago
ericmj
commented
2 years ago It may be better to keep raising until OTP-25 is the minimum supported version, otherwise you may get unexpected behaviour if you test on OTP-25 and try to run on an older version. Not sure what the best solution is here.
Libraries building on top of Mint can of course default to OS certs regardless of what we decide to do in Mint.
whatyouhide
commented
2 years ago @wojtekmach Eric and I discussed it (and @josevalim too IIRC) and our argument is that switching the default from raising to using OS certs is a potentially dangerous change now that the OTP community is still not really used to OS certs. Iām totally on-board that higher-level libraries might really want to start moving towards OS certs, but in Mint I think it's okay to use public_key OTP25+ functions if you want to. I'd close this issue and reopen it in a few years š
wojtekmach
commented
2 years ago Sounds good, see you in a few of years. :D
Currently Mint requires CAStore for SSL connections unless :cacerts/:cacertfile option is given. If CAstore is not available, it raises. The error message even mentions the new OS-provided cert store (https://github.com/elixir-mint/mint/pull/354).
There are some ongoing discussions (https://github.com/sneako/finch/issues/178#issuecomment-1094337705, https://github.com/livebook-dev/kino_db/issues/10#issuecomment-1139532023) about potentially having Mint default to OS-provided certs. We could have Mint use CAStore if available, fallback to OS certs if available, and otherwise raise.
I'm happy to send a patch.