SSL warnings with OTP 24
mtarnovan opened this issue · comments
Since we upgraded to OTP 24, we noticed doing API calls through braintree-elixir
logs warnings like these:
14:22:58.995 [warn] Description: 'Authenticity is not established by certificate path validation'
Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'
I noticed that not passing the cacertfile does not generate this warning:
iex(ypsilon-prod@app01-prod)6> :hackney.request(:get, "https://api.braintreegateway.com/merchants/", [], [], [ssl_options: [cacertfile: cacertfile]])
14:29:21.118 [warn] Description: 'Authenticity is not established by certificate path validation'
Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'
{:ok, 302, ...}
iex(ypsilon-prod@app01-prod)7> :hackney.request(:get, "https://api.braintreegateway.com/merchants/")
{:ok, 302,
[
I also noticed if I pass both cacertfile
(the certfile provided by braintree-elixir), and verify: verify_peer
the SSL handshake fails:
{:error,
{:tls_alert,
{:unknown_ca,
'TLS client: In state wait_cert_cr at ssl_handshake.erl:1988 generated CLIENT ALERT: Fatal - Unknown CA\n'}}}
@mtarnovan I finally had some time to look into this and it turns out that the bundled certificate was out of date. I've updated it and enabled verify_peer
. Things look good now.
Thanks for the report 💛
Great, thanks! Do you know when a new version with this fix will be available?
Released in v0.12.1, available right now https://hexdocs.pm/braintree/0.12.1/changelog.html#v0-12-1-2021-11-18