Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(transport): Use env vars for default CA cert bundle location #3160

Merged
merged 2 commits into from
Jun 24, 2024
Merged

feat(transport): Use env vars for default CA cert bundle location #3160

merged 2 commits into from
Jun 24, 2024

Conversation

DragoonAethis
Copy link
Contributor

@DragoonAethis DragoonAethis commented Jun 12, 2024
edited
Loading

Many libraries use the SSL_CERT_FILE environment variable to point at a CA bundle to use for HTTPS certificate verification. This is often used in corporate environments with internal CAs or HTTPS hijacking proxies, where the Sentry server presents a certificate not signed by one of the CAs bundled with Certifi. Additionally, Requests, Python's most popular HTTP client library, uses the REQUESTS_CA_BUNDLE variable instead.

Use the SSL_CERT_FILE or REQUESTS_CA_BUNDLE vars if present to set the default CA bundle.

Fixes GH-3158

One thing I'm not sure about is how to test this - this would require setting up a custom self-signed CA, generate bundle + self-signed certs for the devserver, run tests with env vars against it...

@DragoonAethis
feat(transport): Use env vars for default CA cert bundle location
863562f 
Many libraries use the SSL_CERT_FILE environment variable to point at a
CA bundle to use for HTTPS certificate verification. This is often used
in corporate environments with internal CAs or HTTPS hijacking proxies,
where the Sentry server presents a certificate not signed by one of the
CAs bundled with Certifi. Additionally, Requests, Python's most popular
HTTP client library, uses the REQUESTS_CA_BUNDLE variable instead.

Use the SSL_CERT_FILE or REQUESTS_CA_BUNDLE vars if present to set the
default CA bundle.

Fixes getsentryGH-3158
@sl0thentr0py sl0thentr0py added the Trigger: tests using secrets PR code is safe; run CI label Jun 12, 2024
sl0thentr0py
sl0thentr0py reviewed Jun 12, 2024
View reviewed changes
Copy link
Member

@sl0thentr0py sl0thentr0py left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you're right that testing this is tricky but we can just merge, it's mostly a harmless change.

One remark:

I assume there's no way to keep the precedence order to have certifi.where() first because it returns a string, this would be better to ensure backwards compat on weird systems that might have both.

@DragoonAethis
Copy link
Contributor Author

I assume there's no way to keep the precedence order to have certifi.where() first because it returns a string, this would be better to ensure backwards compat on weird systems that might have both.

certifi.where() always returns a valid string because certifi ships a fallback certificate bundle with the package. The alternative is to set ca_cert_dir which may be a directory that contains multiple loose CA certs, but then some preprocessing is required (building a dir with certifi + provided CAs in a temporary directory).

sl0thentr0py
sl0thentr0py approved these changes Jun 24, 2024
View reviewed changes
Copy link
Member

@sl0thentr0py sl0thentr0py left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alright let's ship it

@sl0thentr0py sl0thentr0py enabled auto-merge (squash) June 24, 2024 16:19
@github-actions github-actions bot removed the Trigger: tests using secrets PR code is safe; run CI label Jun 24, 2024
@sl0thentr0py sl0thentr0py merged commit a293450 into getsentry:master Jun 24, 2024
109 of 111 checks passed
@DragoonAethis
Copy link
Contributor Author

Thanks!

arjennienhuis pushed a commit to arjennienhuis/sentry-python that referenced this pull request Sep 30, 2024
@DragoonAethis @sl0thentr0py @arjenzorgdoc
feat(transport): Use env vars for default CA cert bundle location (ge…
fed75f3 
…tsentry#3160)

Many libraries use the SSL_CERT_FILE environment variable to point at a
CA bundle to use for HTTPS certificate verification. This is often used
in corporate environments with internal CAs or HTTPS hijacking proxies,
where the Sentry server presents a certificate not signed by one of the
CAs bundled with Certifi. Additionally, Requests, Python's most popular
HTTP client library, uses the REQUESTS_CA_BUNDLE variable instead.

Use the SSL_CERT_FILE or REQUESTS_CA_BUNDLE vars if present to set the
default CA bundle.

Fixes getsentryGH-3158

Co-authored-by: Neel Shah <neel.shah@sentry.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sl0thentr0py sl0thentr0py sl0thentr0py approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support SSL_CERT_FILE for the default ca_certs location
2 participants
@DragoonAethis @sl0thentr0py