elixir-mint / castore Goto Github PK

Hi,

I am seeing from the commit log, that the certificate file priv/cacerts.pem is getting updated from time to time. And along with the change to the file, new a version is also released.

I am wondering about how often, shall we update castore package that is installed in mix application, so that the running application should never have a certificate problem.

Thanks,
Dev.

This issue pops up when sending an HTTPS request via Finch.
It seems as though CAStoe is not compiled into the binary built via escript.build.

** (ArgumentError) unknown application: :castore
        (elixir 1.12.0) lib/application.ex:880: Application.app_dir/1
        (elixir 1.12.0) lib/application.ex:907: Application.app_dir/2
        (mint 1.3.0) lib/mint/core/transport/ssl.ex:572: Mint.Core.Transport.SSL.add_cacerts/1
        (mint 1.3.0) lib/mint/core/transport/ssl.ex:442: Mint.Core.Transport.SSL.add_verify_opts/2
        (mint 1.3.0) lib/mint/core/transport/ssl.ex:432: Mint.Core.Transport.SSL.ssl_opts/2
        (mint 1.3.0) lib/mint/core/transport/ssl.ex:328: Mint.Core.Transport.SSL.connect/4
        (mint 1.3.0) lib/mint/http1.ex:114: Mint.HTTP1.connect/4
        (finch 0.8.1) lib/finch/http1/conn.ex:45: Finch.Conn.connect/1
        (finch 0.8.1) lib/finch/http1/pool.ex:45: anonymous fn/8 in Finch.HTTP1.Pool.request/5
        (nimble_pool 0.2.4) lib/nimble_pool.ex:266: NimblePool.checkout!/4
        (finch 0.8.1) lib/finch/http1/pool.ex:39: Finch.HTTP1.Pool.request/5
        (finch 0.8.1) lib/finch.ex:261: Finch.request/3
        (property_finances_import 0.3.0) lib/property_finances_import/soap_client.ex:106: SOAP.get_soap_response/3
        (elixir 1.12.0) lib/task/supervised.ex:90: Task.Supervised.invoke_mfa/2
        (elixir 1.12.0) lib/task/supervised.ex:35: Task.Supervised.reply/5
        (stdlib 3.15) proc_lib.erl:226: :proc_lib.init_p_do_apply/3

At 14:01:15 UTC on September 30th, the "DST Root CA X3" certificate will expire. I'm sure the certificate will then be removed upstream and CI will then notify you to publish an update. However, I'm worried that quite a few thing may have broken by that time.

I wrote up the details in this post a couple of days ago, but TL;DR:

• In OTP 23.3 and later, an expired root CA in the trust store causes TLS handshake failures without invoking any partial_chain handler (used by many clients, including Mint and Hackney, to support cross-signed certificates)
• Let's Encrypt is encouraging the use of a cross-signed version of their own root CA, signed by the expiring "DST Root CA X3" certificate, to ensure compatibility with old Android devices

As a result, the moment "DST Root CA X3" expires clients such as Mint will fail to connect to servers with a Let's Encrypt certificate that have been configured to serve up the longer (default) chain. I believe the only way to resolve this, besides configuring the server to omit the cross-signed CA certificate, is to remove the "DST Root CA X3" certificate from the trust store.

We may have to consider releasing a version of castore that omits the "DST Root CA X3" certificate some time before September 30th, to give people a chance to upgrade their code and deploy it to production, to stop applications from breaking that day. I thought I'd raise the issue well ahead of time so we can explore alternatives. What do you think...?

I just installed the package from hex, and the mix tasks is missing

** (Mix) The task "certdata" could not be found

Error while loading project :castore at /home/samuel/dpi_ws/uriel_counter/deps/castore
** (File.Error) could not read file "VERSION": no such file or directory

mix.lock

  "castore": {:hex, :castore, "0.1.21", "f618df4d83ad844979e2748cb76937d970ea2c1aee3ca96d4c8301884b9939a1", [:mix], [], "hexpm", "1e4c72e5c476e50deee88ec1e6949f804c9a410d813dc17d3ce78b9b7c55b289"},

mix.exs

defmodule CAStore.MixProject do
  use Mix.Project

  @repo_url "https://github.com/elixir-mint/castore"

  def project do
    [
      app: :castore,
      version: version(),
      elixir: "~> 1.0",
      start_permanent: Mix.env() == :prod,
      deps: deps(),
      xref: [exclude: [:public_key]],

      # Hex
      package: package(),
      description: "Up-to-date CA certificate store.",

      # Docs
      name: "CAStore",
      docs: [
        source_ref: "v#{version()}",
        source_url: @repo_url
      ]
    ]
  end

  def application do
    [
      extra_applications: [:logger]
    ]
  end

  defp deps do
    [
      {:ex_doc, "~> 0.22", only: :dev}
    ]
  end

  defp package do
    [
      files: ["lib/castore.ex", "priv", "mix.exs", "README.md"],
      licenses: ["Apache-2.0"],
      links: %{"GitHub" => @repo_url}
    ]
  end

  defp version do
    "VERSION"
    |> File.read!()
    |> String.trim()
  end
end

Hey folks!

As noted by @cgrothaus in #67 (comment), the Outdated CI pipeline mistakenly bumps the library version and creates a new release whenever the curl command fails:
https://github.com/elixir-mint/castore/actions/runs/8761722399/job/24048599140

SHA256 of old file: 0
Downloading certdata.txt ...
Get certdata with curl!
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to hg.mozilla.org:443 
Failed downloading via HTTPS with curl
Falling back to HTTP
URLs other than HTTPS are disabled by default, to enable use -k
** (File.Error) could not remove file "ca-bundle.crt": no such file or directory
    (elixir 1.14.3) lib/file.ex:1182: File.rm!/1
    (castore 1.0.6) lib/mix/tasks/certdata.ex:[90](https://github.com/elixir-mint/castore/actions/runs/8761722399/job/24048599140#step:4:91): Mix.Tasks.Certdata.fetch_ca_bundle/0
    (castore 1.0.6) lib/mix/tasks/certdata.ex:55: Mix.Tasks.Certdata.run/1
    (mix 1.14.3) lib/mix/task.ex:421: anonymous fn/3 in Mix.Task.run_task/4
    (mix 1.14.3) lib/mix/cli.ex:84: Mix.CLI.run_task/2
[outdated [91](https://github.com/elixir-mint/castore/actions/runs/8761722399/job/24048599140#step:4:92)2f587] Update certificates
 1 file changed, 1 insertion(+), 1 deletion(-)
remote: 
remote: Create a pull request for 'outdated' on GitHub by visiting:        
remote:      https://github.com/elixir-mint/castore/pull/new/outdated        
remote: 
To https://github.com/elixir-mint/castore
 * [new branch]      outdated -> outdated
branch 'outdated' set up to track 'origin/outdated'.

This happens because the exit code of mix certdata --check-outdated is the same when there are outdated certificates and when some failure occurs with fetching the certificates.

castore v0.1.16 has been released on hex.pm, but there is not git tag here on github.

• Docs
• Readme
• Packaging stuff
• Publish on Hex

It seems the code published to hex does not contain the mix task.

I believe :certifi.cacertfile() is same feature with CAStore.file_path() as both provide local file path for up-to-date mozilla certs by default.

Could someone explain the point of having own castore library, not using :certifi?

From elixir-mint/mint#274

Is there any specific reason this library returns cached cacerts upon request, instead of returning the cafile path?

If we add a function to castore (e.g. CAStore.cacerts/0), then we don't need to implement cache feature on other library individually (such as elixir-mint/mint#275 )

castore 0.1.7 from hex.pm doesn't have certdata task and the hex package doesn't have lib/mix/tasks/certdata.ex.

Just wondering how often the CAs are updated? And how do you know when to update? I want to use CAStore to get the latest Mozilla CA certificates and I'm not sure if I can rely on a new version of CAStore being released every time Mozilla's list is updated or if I should instead rely on mix certdata to always be up-to-date.

** (File.Error) could not read file "VERSION": no such file or directory
    (elixir 1.14.4) lib/file.ex:358: File.read!/1
    /Users/toranb/code/helloworld/deps/castore/mix.exs:53: CAStore.MixProject.version/0
    /Users/toranb/code/helloworld/deps/castore/mix.exs:9: CAStore.MixProject.project/0
    (mix 1.14.4) lib/mix/project.ex:838: Mix.Project.get_project_config/1

I was installing the latest dependencies for a project this morning and found the latest castore is now missing a version file.

Thanks again for supporting open source!