SSL_CERT_FILE environment variable is not honoured

[mikz]

OpenSSL says SSL_CERT_FILE and SSL_CERT_DIR environment variables can be used to set default location for certificate fails. HTTPClient ignores this setting.

Net::HTTP respects that setting.

$ ruby -rnet/http -e "Net::HTTP.get URI('https://example.com/')"
$ echo $?
0
$ SSL_CERT_FILE=/etc/foo ruby -rnet/http -e "Net::HTTP.get URI('https://example.com/')"
ruby-2.3.1/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError)

HTTPClient does not.

$ ruby -rhttpclient -e "HTTPClient.new.get_content('https://example.com/')"
$ echo $?
0
$ SSL_CERT_FILE=/etc/foo ruby -rhttpclient -e "HTTPClient.new.get_content('https://example.com/')"
$ echo $?
0

There is no system-wide way of configuring HTTPClient to use default system store and has to be initialised on per instance basis as described in #335.

Also, the bundle cacert.pem is almost 2 years old missing several important updates.

I think HTTPClient should not default to own bundled CA certificates if system provides that. That might be broken on Windows, but this breaks it on every other UNIX platform.

[mikz]

Preliminary patch mikz@3298246

[redbaron]

been hit by this too, any chance it can be reviewed?

[redbaron]

In case somebody spent last 3 hours tracing SSL errors down to this issue, here is workaround which works for me:

for x in ./lib/ruby/gems/*/gems/**/cacert.pem; do rm $x; ln -s /etc/ssl/certs/ca-certificates.crt $x; done

[mikz]

We are running with master...mikz:ssl-env-cert and it works just fine. And set the SSL_CERT_DIR or SSL_CERT_FILE env variable.

That is just a terrible workaround and would be way better for httpclient to use OpenSSL cert store it was compiled with.

[mikz]

Fixed by #386

[vfazio]

any updates on this?