Problem
Faraday always trusts the OpenSSL system root CAs, even when a :ca_file or a :ca_path are specified, eg to implement CA pinning, or to reduce the number of trusted certificates.
Example
Faraday.new('https://www.google.com', ssl: { ca_file: '/not/used/by/google/ca.pem' }).get('/') # => #<Faraday::Response:0x007ffd580b19d8 ...
Expected behavior:
An error about server certificate certificate validation, because the website's certificate does not match the :ca_file
Root Cause:
Within the net_http adapter, ssl_cert_store will create a certificate store that includes the OpenSSL system root CAs if :cert_store is not specified:
https://github.com/lostisland/faraday/blob/master/lib/faraday/adapter/net_http.rb#L105
def ssl_cert_store(ssl)
return ssl[:cert_store] if ssl[:cert_store]
# Use the default cert store by default, i.e. system ca certs
cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths
cert_store
end
I would think that Faraday should only set a default :cert_store if there is no :ca_file, no :ca_path, and no :cert_store specified.
Problem
Faraday always trusts the OpenSSL system root CAs, even when a
:ca_fileor a:ca_pathare specified, eg to implement CA pinning, or to reduce the number of trusted certificates.Example
Expected behavior:
An error about server certificate certificate validation, because the website's certificate does not match the
:ca_fileRoot Cause:
Within the
net_httpadapter,ssl_cert_storewill create a certificate store that includes the OpenSSL system root CAs if:cert_storeis not specified:https://github.com/lostisland/faraday/blob/master/lib/faraday/adapter/net_http.rb#L105
I would think that Faraday should only set a default
:cert_storeif there is no:ca_file, no:ca_path, and no:cert_storespecified.