search

nahi / httpclient

'httpclient' gives something like the functionality of libwww-perl (LWP) in Ruby.
https://github.com/nahi/httpclient
702 stars 290 forks source link

SSL_CERT_FILE environment variable is not honoured #369

Open mikz opened 7 years ago

mikz commented 7 years ago

OpenSSL says SSL_CERT_FILE and SSL_CERT_DIR environment variables can be used to set default location for certificate fails. HTTPClient ignores this setting.

Net::HTTP respects that setting.

$ ruby -rnet/http -e "Net::HTTP.get URI('https://example.com/')"
$ echo $?
0
$ SSL_CERT_FILE=/etc/foo ruby -rnet/http -e "Net::HTTP.get URI('https://example.com/')"
ruby-2.3.1/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError)

HTTPClient does not.

$ ruby -rhttpclient -e "HTTPClient.new.get_content('https://example.com/')"
$ echo $?
0
$ SSL_CERT_FILE=/etc/foo ruby -rhttpclient -e "HTTPClient.new.get_content('https://example.com/')"
$ echo $?
0

There is no system-wide way of configuring HTTPClient to use default system store and has to be initialised on per instance basis as described in https://github.com/nahi/httpclient/issues/335.

Also, the bundle cacert.pem is almost 2 years old missing several important updates.

I think HTTPClient should not default to own bundled CA certificates if system provides that. That might be broken on Windows, but this breaks it on every other UNIX platform.

mikz commented 7 years ago

Preliminary patch https://github.com/mikz/httpclient/commit/329824633ec9479dddea765d561ca4b3dbc3ceb3

redbaron commented 6 years ago

been hit by this too, any chance it can be reviewed?

redbaron commented 6 years ago

In case somebody spent last 3 hours tracing SSL errors down to this issue, here is workaround which works for me:

for x in ./lib/ruby/gems/*/gems/**/cacert.pem; do rm $x; ln -s /etc/ssl/certs/ca-certificates.crt $x; done
mikz commented 6 years ago

We are running with https://github.com/nahi/httpclient/compare/master...mikz:ssl-env-cert and it works just fine. And set the SSL_CERT_DIR or SSL_CERT_FILE env variable.

That is just a terrible workaround and would be way better for httpclient to use OpenSSL cert store it was compiled with.

mikz commented 6 years ago

Fixed by https://github.com/nahi/httpclient/pull/386

vfazio commented 5 years ago

any updates on this?