Skip to content

Add default certificate store when none given #1089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add default certificate store when none given #1089

wants to merge 1 commit into from

Conversation

nanaya
Copy link

@nanaya nanaya commented Apr 15, 2017

@nanaya
Copy link
Author

nanaya commented Apr 15, 2017
edited
Loading

Unfortunately this will set verify_mode to system default as well which is peer in my system.

Updated to default to none as per current behavior (which honor SSLContext#verify_mode default instead of system default).

I'm not sure anymore what the default should be. I switched to just adding default cert store when neither ca_path nor ca_file is specified and mode isn't none.

Alternatively:

      Net::SMTP.default_ssl_context.tap do |context|
        params = {}
        params[:verify_mode] = openssl_verify_mode if openssl_verify_mode
        params[:ca_path] = settings[:ca_path] if settings[:ca_path]
        params[:ca_file] = settings[:ca_file] if settings[:ca_file]

        context.set_params(params)
      end

@nanaya nanaya force-pushed the master branch 5 times, most recently from a610aeb to 3c53966 Compare April 15, 2017 22:42
@nanaya nanaya changed the title Add required set_params call for system defaults Add defaults certificate store when none given Apr 15, 2017
@nanaya nanaya changed the title Add defaults certificate store when none given Add default certificate store when none given Apr 15, 2017
jeremy
jeremy requested changes May 16, 2017
View reviewed changes
Copy link
Collaborator

@jeremy jeremy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we test this?

lib/mail/network/delivery_methods/smtp.rb
context.ca_file = settings[:ca_file] if settings[:ca_file]
elsif openssl_verify_mode && openssl_verify_mode != OpenSSL::SSL::VERIFY_NONE
context.cert_store = OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
end
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we always set the cert store? Does it need to be mutually exclusive with provided CA path/file settings?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question. Unfortunately I'm not sure myself. I based this off #set_params which checks all three settings (including cert_store itself).

@jdongelmans jdongelmans mentioned this pull request Jan 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeremy jeremy jeremy requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
More Work Needed SMTP
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nanaya @jeremy