SSL warnings with OTP 24

Question

SSL warnings with OTP 24

mtarnovan opened this issue 3 years ago · comments

Since we upgraded to OTP 24, we noticed doing API calls through braintree-elixir logs warnings like these:

14:22:58.995 [warn]  Description: 'Authenticity is not established by certificate path validation'
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'

I noticed that not passing the cacertfile does not generate this warning:

iex(ypsilon-prod@app01-prod)6> :hackney.request(:get, "https://api.braintreegateway.com/merchants/", [], [], [ssl_options: [cacertfile: cacertfile]])                      

14:29:21.118 [warn]  Description: 'Authenticity is not established by certificate path validation'
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'

{:ok, 302, ...}

iex(ypsilon-prod@app01-prod)7> :hackney.request(:get, "https://api.braintreegateway.com/merchants/")                                                                       
{:ok, 302,
 [

I also noticed if I pass both cacertfile (the certfile provided by braintree-elixir), and verify: verify_peer the SSL handshake fails:

{:error,
 {:tls_alert,
  {:unknown_ca,
   'TLS client: In state wait_cert_cr at ssl_handshake.erl:1988 generated CLIENT ALERT: Fatal - Unknown CA\n'}}}

Parker Selbert · Answer 1 · Thu Nov 18 2021 21:32:17 GMT+0800 (China Standard Time)

@mtarnovan I finally had some time to look into this and it turns out that the bundled certificate was out of date. I've updated it and enabled verify_peer. Things look good now.

Thanks for the report 💛

Mihai Târnovan · Answer 2 · Thu Nov 18 2021 21:33:45 GMT+0800 (China Standard Time)

Great, thanks! Do you know when a new version with this fix will be available?

Parker Selbert · Answer 3 · Thu Nov 18 2021 21:38:17 GMT+0800 (China Standard Time)

Released in v0.12.1, available right now https://hexdocs.pm/braintree/0.12.1/changelog.html#v0-12-1-2021-11-18