Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "Revert "feat: add ssl opt to httpc by default"" #703

Closed
wants to merge 2 commits into from
Closed

Revert "Revert "feat: add ssl opt to httpc by default"" #703

wants to merge 2 commits into from

Conversation

yordis
Copy link
Member

@yordis yordis commented Aug 5, 2024

Reverts #702

yordis and others added 2 commits August 5, 2024 13:36
@yordis
Revert "Revert "feat: add ssl opt to httpc by default" (#702)"
aef6a87 
This reverts commit a8ab602.
@g-andrade
TLS & httpc: suggested higher limit of max intermediate certs (#701)
e21d0a3 
TLS: raise limit on max intermediate certs to same as OpenSSL

Prevents validation error for endpoints presenting a longer certificate
chain.

Reference:
* https://docs.openssl.org/3.3/man3/SSL_CTX_set_verify/#notes
@yordis yordis mentioned this pull request Aug 5, 2024
Closed
@IngelaAndin
Copy link

Well CRL checking is fairly complex. And from the OTP ssl applications point of view we can not tell you who trust. From the httpc applications point of view there can be some default trust for web-applications. There is no "one way" of building a CRL cache, and it can depend on how the certificate authorities set things up. Certificates may include distribution points that will include URIs to get CRL's usually plain HTTP or LDAP ones. CRL's can also be provided in PEM-files (that also must be obtained somehow). Now as CRL checks are done during certificate path validation so you want to cache the CRL's to not have to fetch them every time. Although CRL's can become very large so might not want to cache them uncontrollably, and this is why the default cache at the moment does not cache. We have a plan to change that, and PR are always welcome.

Certificate revocation check can have three outcomes, it has found that a certificate is valid, invalid, or it was not able to determine it because the available CRL's did not cover the certificate you where trying to check. The best effort option possible make a connection not fail if CRL-server is down for instance, but it would also pass certificates that do not have a CRL reference.
So I do not consider it good security, it might be a tradeoff that is acceptable under some configuration setup that is not for us (Erlang/OTP) to decide.

We provide an API ( https://www.erlang.org/doc/apps/ssl/ssl_crl_cache_api.html) to plug your own cache handling as there might be many application dependent circumstances on how to implement the cache and make tradeoffs for it freshness.

When it comes to httpc (in inets application) there are many legacy reasons how it came about, and frankly it has for several reasons not had top priority, I think it has shaped up but we still have ambitions to make it better given that we get priority and resources needed to do so.

@yordis
Copy link
Member Author

yordis commented Oct 21, 2024

I have taken the stand that Tesla will no try to reconfigure the defaults of :httpc to fix the situation.

I firmly believe that this should be fixed upstream in OTP itself. I can not ensure that I will not break some codebase that may rely on the existing setup.

Thank y'all!

@yordis yordis closed this Oct 21, 2024
@yordis yordis deleted the revert-702-revert-626-add-ssl-to-httpc-by-default branch October 21, 2024 02:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yordis @IngelaAndin @g-andrade