Add custom cacert support

[guillheu]

While httpc does support TLS verification of remote server certificates, it can only do so against the client system's authorized CAs. However, it is currently not possible to provide a custom CA certificate instead of relying the the system's authorized CAs. Other HTTP clients usually do provide this option, like curl with --cacert.

The only workarounds currently are either to add the custom CA to the system's authorized CAs (which can be inconvenient or impossible in some cases), or to skip TLS verification (which is insecure).

The Configuration type currently only includes a verify_tls: Bool field. I think custom CA certificates could maybe be implemented with a custom_ca_cert: Option(String) field.

What do you think?

[lpil]

Hello!

While httpc does support TLS verification of remote server certificates, it can only do so against the client system's authorized CAs.

Are you sure? It looks like you can pass a cert when making the request

https://www.erlang.org/doc/apps/inets/httpc.html#request/4 https://www.erlang.org/doc/apps/ssl/ssl#t:client_option_cert/0

[guillheu]

Oh I'm not surprised the original erlang library has support for custom certs, but I'm very unfamiliar with erlang and FFI, I wouldn't really know how to use that option. I'm asking if that option could be exposed in the gleam httpc library directly.

[lpil]

Oh I see! Sorry I got confused. This library is called gleam_httpc and httpc is the Erlang original.

The Configuration type currently only includes a verify_tls: Bool field. I think custom CA certificates could maybe be implemented with a custom_ca_cert: Option(String) field.

I don't think it would make sense to say "do not verify TLS" and "here's a cert to verify TLS with" at the same time, so instead we make a custom type with variants for not verifying, verifying with system certs, and verifying with custom certs. Do you think that would cover all the possibilities?

[guillheu]

Yeah that sounds good to me :+1: