feat(transport): Use env vars for default CA cert bundle location #3160
Conversation
Many libraries use the SSL_CERT_FILE environment variable to point at a CA bundle to use for HTTPS certificate verification. This is often used in corporate environments with internal CAs or HTTPS hijacking proxies, where the Sentry server presents a certificate not signed by one of the CAs bundled with Certifi. Additionally, Requests, Python's most popular HTTP client library, uses the REQUESTS_CA_BUNDLE variable instead. Use the SSL_CERT_FILE or REQUESTS_CA_BUNDLE vars if present to set the default CA bundle. Fixes getsentryGH-3158
DragoonAethis
force-pushed
the
ca-certs-from-env-vars
branch
from
2765e42
to
863562f
Compare
There was a problem hiding this comment.
you're right that testing this is tricky but we can just merge, it's mostly a harmless change.
One remark:
I assume there's no way to keep the precedence order to have certifi.where() first because it returns a string, this would be better to ensure backwards compat on weird systems that might have both.
|
github-actions
bot
removed
the
Trigger: tests using secrets
|
Thanks! |
Many libraries use the SSL_CERT_FILE environment variable to point at a CA bundle to use for HTTPS certificate verification. This is often used in corporate environments with internal CAs or HTTPS hijacking proxies, where the Sentry server presents a certificate not signed by one of the CAs bundled with Certifi. Additionally, Requests, Python's most popular HTTP client library, uses the REQUESTS_CA_BUNDLE variable instead.
Use the SSL_CERT_FILE or REQUESTS_CA_BUNDLE vars if present to set the default CA bundle.
Fixes GH-3158
One thing I'm not sure about is how to test this - this would require setting up a custom self-signed CA, generate bundle + self-signed certs for the devserver, run tests with env vars against it...