Closed gdamjan closed 6 months ago
Your snippet is missing a lot of configuration, you have to provide TLS options and/or certificates, Gun won't do it for you.
Your snippet is missing a lot of configuration, you have to provide TLS options and/or certificates, Gun won't do it for you.
ugh sorry, I was going by the guide here: https://ninenines.eu/docs/en/gun/2.0/guide/connect/#_opening_a_new_connection
what options do I need more? I can't find anything about certificates in either the guide or the manual.
ps. I get the same timeout with both example.net:443 and www.google.com:443
You're using OTP-26 so the problem is likely that you haven't given the cacerts
option. OTP-26 switched to {verify, verify_peer}
by default so it expects a list of CA certs to do the verification. OTP-25+ has a new function to take system CA certs that you can use:
1> {ok, ConnPid} = gun:open("google.com", 443, #{tls_opts => [{cacerts, public_key:cacerts_get()}]}).
{ok,<0.130.0>}
2> gun:await_up(ConnPid).
{ok,http2}
Alternatively you can disable peer verification:
1> {ok, ConnPid} = gun:open("google.com", 443, #{tls_opts => [{verify, verify_none}]}).
{ok,<0.130.0>}
2> gun:await_up(ConnPid).
{ok,http2}
Gun does not currently set CA certs automatically so it no longer works by default on OTP-26+. When Gun will stop supporting versions below OTP-25 it will likely be changed to call public_key:cacerts_get/0
automatically if none are provided. Maybe for the next version.
To add more context, the TLS configuration information can be found in https://www.erlang.org/doc/man/ssl.html - Gun just passes the configuration to OTP's ssl
application.
Thanks #{tls_opts => [{cacerts, public_key:cacerts_get()}]})
works indeed.
wasn't obvious that there's a strange interaction between OTP-26
and Gun 2.0.
Two things can make debugging these issues more obvious (for future reference):
Shell got {'DOWN',#Ref<0.3552409767.4216324106.107274>,process,<0.123.0>,
{shutdown,{options,incompatible,
[{verify,verify_peer},
{cacerts,undefined}]}}}
trace => true
option{ok, ConnPid} = gun:open("ws.postman-echo.com", 443, #{trace => true}).
(<0.139.0>) returned from gun:normal_tls_handshake/4 -> {error,
{options,
incompatible,
[{verify,
verify_peer},
{cacerts,
undefined}]},
Cheers.
I've tried the patch at #324 but it didn't help
I've assumed they use TLSv1.3 since curl -v says: