CA Certificates & OTP 26

Question

CA Certificates & OTP 26

maennchen opened this issue a year ago · comments

Description

Starting from OTP 26, a safe default is assumed for most TLS connections.

Most places (like httpc) call public_key:cacerts_get() internally. This will produce a crash:

** exception error: no match of right hand side value {error,enoent}
     in function  pubkey_os_cacerts:get/0 (pubkey_os_cacerts.erl, line 38)

(Better Error message incoming with erlang/otp#7302)

That crash is on purpose and OTP just expects there to be certificates. (See docs: https://www.erlang.org/doc/man/public_key.html#cacerts_get-0)

I therefore think that we should consider a cacertbundle to be a required dependency of OTP and install it in every image.

(apt-get install -y ca-certificates in debian images)

Reproduction

$ docker run -ti hexpm/erlang:26.0-debian-bullseye-20230227-slim erl -eval 'public_key:cacerts_get().'
Erlang/OTP 26 [erts-14.0] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit:ns]

Error! Failed to eval: public_key:cacerts_get().

Runtime terminating during boot ({{badmatch,{error,enoent}},[{pubkey_os_cacerts,get,0,[{_},{_}]},{erl_eval,do_apply,7,[{_},{_}]},{init,start_it,1,[]},{init,start_em,1,[]},{init,do_boot,3,[]}]})

Crash dump is being written to: erl_crash.dump...done

Eric Meadows-Jönsson · Answer 1 · Wed May 31 2023 09:00:14 GMT+0800 (China Standard Time)

Yes 👍

Can you send a PR?

Jonatan Männchen · Answer 2 · Wed May 31 2023 12:38:33 GMT+0800 (China Standard Time)

@ericmj Will do 😊

Jonatan Männchen · Answer 3 · Wed Jun 14 2023 17:06:28 GMT+0800 (China Standard Time)

@ericmj Any updates on this?