Comments (14)
jhollinger
commented on August 18, 2024
45
Yeah, pretty crazy that it's doing that. Our fix was the following mokeypatch:
require 'httpclient'
class HTTPClient
alias original_initialize initialize
def initialize(*args, &block)
original_initialize(*args, &block)
# Force use of the default system CA certs (instead of the 6 year old bundled ones)
@session_manager&.ssl_config&.set_default_paths
end
endfrom httpclient.
jessebs
commented on August 18, 2024
9
Building off of @jhollinger, just calling client.ssl_config.set_default_paths without overriding the constructor seems to work
client = HTTPClient.new
client.ssl_config.set_default_paths
from httpclient.
gareth
commented on August 18, 2024
5
It might have got hidden in the references above, but thanks to @nov there are now new versions of webfinger, rack-oauth2, fb_graph2, swd and openid_connect that have these fixes incorporated.
from httpclient.
jdongelmans
commented on August 18, 2024
4
Just an FYI: this gem is a dependency for Rack::OAuth2 and broke our production, so we added an initializer basically doing the same as mentioned above:
Rack::OAuth2.http_config do |c|
c.ssl_config.clear_cert_store
c.ssl_config.cert_store.set_default_paths
endfrom httpclient.
jhollinger
commented on August 18, 2024
2
Is this lib even actively maintained? There's not much commit activity at all. I've rarely seen anyone use httpclient directly in their apps; usually it's a transitive dependency (openid_connect, rack-oauth2, etc). Could we put pressure on those projects to reduce their dependencies? I'll grant that the stdlib's HTTP client doesn't have the cleanest API, but it works just fine. The community has kind of "left-padded" itself, here, IMHO.
from httpclient.
mbeijen
commented on August 18, 2024
1
This issue was fixed in debians version of the package here, and like this: https://salsa.debian.org/ruby-team/ruby-httpclient/-/commit/542849f1b60e9c0cd24c328ad710b2a94cb42729
from httpclient.
jrochkind
commented on August 18, 2024
1
@nahi no action on this in over ayear may lead me to abandon HTTPClient, when I otherwise rather like it. :(
from httpclient.
willtcarey
commented on August 18, 2024
Our application also uses Webfinger in our OAuth stack. The process of getting it to use the system certs was similar to Rack::OAuth2.
WebFinger.http_config do |c|
c.ssl_config.clear_cert_store
c.ssl_config.cert_store.set_default_paths
endfrom httpclient.
jamesyale
commented on August 18, 2024
Thanks all, based on @jhollinger 's suggestion we hacked the library directly: livelink@c1b97a7#diff-2a6765023b9beb8295399d5c04286045360ce90aabfffead2dba5c2c3ef71173
from httpclient.
essjayhch
commented on August 18, 2024
Just FYI, the monkey patch is an ruby 2.3+ feature set.
Not that I'm suggesting httpclient should specifically support ancient versions of ruby out there, it is worth noting that this gem has been fundamental since the days or rails 2, which love it or hate it still exist out there in the wild.
For those coming across this and looking to fix a certificate error on an unsupported version of ruby, the problem you will be tripping over will be the &. (safe operator) littered through the patch.
Yeah, pretty crazy that it's doing that. Our fix was the following mokeypatch:
require 'httpclient' class HTTPClient alias original_initialize initialize def initialize(*args, &block) original_initialize(*args, &block) # Force use of the default system CA certs (instead of the 6 year old bundled ones) @session_manager&.ssl_config&.set_default_paths end end
Thinking about this (as we've had to patch some pre ruby 2.3 legacy code), you shouldn't need the safe operator, as the @ssl_config attribute should already be setup by the time you get to the end of the constructor anyway.
from httpclient.
heinrichhanekom
commented on August 18, 2024
We had the same thing.
Thanks for the fixes:
OpenIDConnect.http_config do |c|
c.ssl_config.clear_cert_store
c.ssl_config.cert_store.set_default_paths
end
Rack::OAuth2.http_config do |c|
c.ssl_config.clear_cert_store
c.ssl_config.cert_store.set_default_paths
end
WebFinger.http_config do |c|
c.ssl_config.clear_cert_store
c.ssl_config.cert_store.set_default_paths
endfrom httpclient.
jfederico
commented on August 18, 2024
Something else brought me to here, but yeah, this is pretty bad.
It would be super hard to update properly. The dependency to version 2.8.3 comes from google-apis-core (0.3.0), but there are some other gems depending on even older versions. We are using omniauth_openid_connect 0.3.5 (June 7, 2020), which uses openid_connect ~> 1.1 (March 23, 2017), which uses webfinger >= 1.0.1 (December 22, 2014), which uses httpclient >= 2.4 (June 8, 2014).
The patch contributed here #2930 seems to be the best choice right now. Although it may need to be extended.
We are looking into it
from httpclient.
RiverHeart
commented on August 18, 2024
This appears to have affected apt-listbugs as well, which in our case was preventing updates from going through. Fix is the same as the original, but uses the path to the system version /usr/lib/ruby/vendor_ruby/httpclient/cacert.pem
Thread first indicating the issue with apt-listbugs
https://www.mail-archive.com/[email protected]/msg1822839.html
from httpclient.
kirsha2
commented on August 18, 2024
Is there any update or timeline when this issue can be released ?
from httpclient.
Related Issues (20)
- Cookies with a SameSite attribute cause a warning to be output HOT 2
- Why HTTP::Status do not have 404 status code (not found)?
- Support connection to proxy via https scheme HOT 3
- Make a new release? HOT 3
- HTTPClient.create_request should not set content type for empty bodies
- warning: method redefined / assigned but unused variable
- [Chore] Documentation unavailable
- Timeout::timeout inherently unsafe, switch to socket nonblocking io
- Query on httpclient default gem default certificates
- Delete httpclient default gem default certificates
- Time for a release, maybe? HOT 6
- Issue parsing Digest challenge
- Test failures with webrick 1.7 HOT 3
- Cookies are added as multiple headers, which is invalid
- Is there any CI?
- support OpenSSL::SSL::SSLContext#add_certificate
- absolute URIs should not include a port component when the port matches the scheme default
- warning: mutex_m was loaded from the standard library HOT 3
- The existing WebAgent conflicts with the httpclient WebAgent class.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from httpclient.