feat: add ssl opt to httpc by default (#626)

yordis · web-flow · commit 63502b25471f · 2024-08-01T11:06:17.000-04:00
diff --git a/lib/tesla/adapter/httpc.ex b/lib/tesla/adapter/httpc.ex
@@ -8,6 +8,8 @@ defmodule Tesla.Adapter.Httpc do
   consistency between adapters
   """
 
+  current_otp_version = List.to_integer(:erlang.system_info(:otp_release))
+
   @behaviour Tesla.Adapter
   import Tesla.Adapter.Shared, only: [stream_to_fun: 1, next_chunk: 1]
   alias Tesla.Multipart
@@ -18,12 +20,37 @@ defmodule Tesla.Adapter.Httpc do
   @impl Tesla.Adapter
   def call(env, opts) do
     opts = Tesla.Adapter.opts(@override_defaults, env, opts)
+    opts = add_default_ssl_opt(env, opts)
 
     with {:ok, {status, headers, body}} <- request(env, opts) do
       {:ok, format_response(env, status, headers, body)}
     end
   end
 
+  # TODO: remove this once OTP 25+ is required
+  if current_otp_version >= 25 do
+    def add_default_ssl_opt(env, opts) do
+      default_ssl_opt = [
+        ssl: [
+          verify: :verify_peer,
+          cacerts: :public_key.cacerts_get(),
+          depth: 3,
+          customize_hostname_check: [
+            match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+          ],
+          crl_check: true,
+          crl_cache: {:ssl_crl_cache, {:internal, [http: 1000]}}
+        ]
+      ]
+
+      Tesla.Adapter.opts(default_ssl_opt, env, opts)
+    end
+  else
+    def add_default_ssl_opt(_env, opts) do
+      opts
+    end
+  end
+
   defp format_response(env, {_, status, _}, headers, body) do
     %{env | status: status, headers: format_headers(headers), body: format_body(body)}
   end
diff --git a/mix.exs b/mix.exs
@@ -17,7 +17,7 @@ defmodule Tesla.Mixfile do
       test_coverage: [tool: ExCoveralls],
       dialyzer: [
         plt_core_path: "_build/#{Mix.env()}",
-        plt_add_apps: [:mix, :inets, :idna, :ssl_verify_fun, :ex_unit],
+        plt_add_apps: [:public_key, :mix, :inets, :idna, :ssl_verify_fun, :ex_unit],
         plt_add_deps: :apps_direct
       ],
       docs: docs(),
diff --git a/test/tesla/adapter/httpc_test.exs b/test/tesla/adapter/httpc_test.exs
@@ -45,4 +45,36 @@ defmodule Tesla.Adapter.HttpcTest do
 
     assert data["headers"]["content-type"] == "text/plain"
   end
+
+  describe "badssl" do
+    @describetag :integration
+
+    test "expired.badssl.com" do
+      assert {:error, :econnrefused} =
+               Tesla.get(Tesla.client([], Tesla.Adapter.Httpc), "https://expired.badssl.com")
+    end
+
+    test "wrong.host.badssl.com" do
+      assert {:error, :econnrefused} =
+               Tesla.get(Tesla.client([], Tesla.Adapter.Httpc), "https://wrong.host.badssl.com")
+    end
+
+    test "self-signed.badssl.com" do
+      assert {:error, :econnrefused} =
+               Tesla.get(Tesla.client([], Tesla.Adapter.Httpc), "https://self-signed.badssl.com")
+    end
+
+    test "untrusted-root.badssl.com" do
+      assert {:error, :econnrefused} =
+               Tesla.get(
+                 Tesla.client([], Tesla.Adapter.Httpc),
+                 "https://untrusted-root.badssl.com"
+               )
+    end
+
+    test "revoked.badssl.com" do
+      assert {:error, :econnrefused} =
+               Tesla.get(Tesla.client([], Tesla.Adapter.Httpc), "https://revoked.badssl.com")
+    end
+  end
 end
