New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use system OpenSSL cert file and dir if available #770
Conversation
For users that manage their own SSL certs, it is a surprise that excon ships its own root certificates. As a result, using an old version of excon can cause SSL failures with third-party services, such as S3 (excon#473). We now fall back to the OpenSSL defaults if available to avoid depending on the shipped `cacert.pem`.
Tests will be fixed with #771. |
Hmm, maybe the Line 67 in 0ac208d
|
@stanhu Hey, apologies for any surprise/confusion around this. I'll do my best to share my recollection of the status of this and hopefully we can get to the bottom of it. My understanding was that the So my expectation is that it would use OpenSSL instead of the bundled if it exists. If I recall correctly we set it up this way because there were certain environments/installations where OpenSSL certs were not present and we wanted it to still work (I want to say this was a Windows thing, but it's been a long time now). It definitely wasn't supposed to be instead of OpenSSL, but just to make sure that it would "just work" in other cases. So, if that isn't the behavior we are actually seeing, we should change it. I suspect that because of the way we are doing path and the particular case (removal of an expired), it might mean that after failing to be found in the OpenSSL group it would try the next thing in the path (the bundled) which might then fail? Does that make sense and/or sound likely? Maybe we should change it to check in some way if |
@geemus Makes sense. I think I'll close this. I think it threw me off that In https://gitlab.com/gitlab-org/gitlab/-/issues/342326#note_694301994, we saw that if you called https://gitlab.com/gitlab-org/gitlab/-/merge_requests/71697/diffs fixed the problem for us. I suspect the |
@stanhu Got it, thanks for the update. We could certainly add better documentation/explanation around this for our future selves and others. Otherwise I'm certainly open to improving the usage here if we need to. I looked over the issue/diffs you mentioned but fear I don't have enough context/memory of things to immediately grok what we would need to change. So let me know if you think action is required and if you have advice and I can try to find some time to dig in. Otherwise it sounds like maybe it wasn't as much of a problem as you originally expected and maybe we can let it be for now? |
For users that manage their own SSL certs, it is a surprise that excon
ships its own root certificates. As a result, using an old version of
excon can cause SSL failures with third-party services, such as S3
(#473).
We now fall back to the OpenSSL defaults if available to avoid depending
on the shipped
cacert.pem
.