Add support to custom CA certificate stores #3246
Comments
|
Adding an environment variable sounds fab! |
|
heya, I see a bunch of closed and draft PRs but nothing's been merged in to allow gleam on corporate networks :( I would really love to have the option to point gleam at our office's custom CA certificates file. right now I'm not able to use gleam on my work computer (an office managed Mac) :(, which is sad, because I'd love to! edit: Node has |
|
The PR is nearly finished, it is just missing error handling! Once it has that we can do a review and possibly merge. See the comments in the draft PR. |
|
Except we have no idea where to propagate the errors to and why boxing the errors are causing problems in Node. |
|
It would be propagated to the top level, the same as in the rest of the codebase. It'll be a quite a straightforward addition, any of the other errors can be used as a reference. No need to box the errors, and this is before Node or any runtime is executed so won't need to worry about those. |
|
That would mean Gleam would complain if the user assigned an empty string as their environment variable. This is non-standard behaviour and potentially terrible UX. If no one has objections to this, I’ll finish the PR by this weekend. |
|
Node had the same behaviour of emitting an error. Do try not call a someone's work "terrible" to their face. It is extremely rude. Note I also did not ask for it to error for an empty variable, I asked for to error when the path is set but unable to be read and parsed. |
you are amazing sirs! thanks for all of this, the transition from Elixir to this for random stuff has been epic so far! |
I think you misunderstood what I meant. I meant that throwing an error for an empty environment variable is potentially terrible UX. Apologies for not being clear.
Thanks for clarifying. So how should we handle unassigned or empty strings? Should we still let it fall through? |
Many corporate environments are protected by firewalls that act as SSL Forward Proxy, effectively breaking the SSL connection and replacing the root certificate for one owned by the organization. For the general browsing use case that is not an issue, since the organization root CA is added to the trusted certificate store of all clients OS.
Unfortunately, command line tools (such as gleam) are generally not aware about those custom trusted certificates, and therefore the SSL connection fails when trying to obtain Hex packages:
Unable to determine package versions: error sending request for url (https://repo.hex.pm/packages/gleeunit): error trying to connect: invalid peer certificate: UnknownIssuerThe most "convenient" approach for Windows users would be to configure Gleam to be able to use the OS certificate store, so any changes on the corporate certificate configuration can immediately be used by Gleam without any configuration changes. For instance, in Git this is solved by choosing the SChannel SSL backend mechanism:
git config --global http.sslBackend schannelHowever this solution would require the usage of a Windows specific API, and will not solve the problem for other non-Windows users.
Alternatively, an environment variable or a configuration setting can be used to specify the location of the trusted custom certificate store.
For instance, when using Elixir in a corporate environment, in order to retrieve Hex dependencies using mix you have the following two options to specify the path to the CA certificate store PEM file:
More background about this issue can be found on the related Github discussion page.
The text was updated successfully, but these errors were encountered: