sets SSL opt verify_peer in version check

nccgroup / sobelow

Security-focused static analysis for the Phoenix Framework

Apache License 2.0

1.66k stars 92 forks source link

sets SSL opt verify_peer in version check #111

Closed bwireman closed 1 year ago

bwireman commented 2 years ago

The default ssl config in OTP doesn't verify certs, meaning we occasionally get this error when checking for new versions, but this option enables it

10:25:11.124 [warn]  Description: 'Authenticity is not established by certificate path validation'
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'

bwireman commented 2 years ago

Bumping for visibility

rubas commented 1 year ago

Bump

houllette commented 1 year ago

Maybe a silly question, but wouldn't this also need us to define a CA Trust Store? (docs)