Adding more SSL options for client certificates (Mutual TLS)

[MichaelViveros]

Currently to get mutual TLS working with my client certificate I had to:

1. Manually add back the default SSL options for things like server certificate verification and maximum certificate chain length. I did it slightly differently than the readme recommends by calling :hackney_connect.ssl_opts/2.
2. Manually append my client certificate's intermediate certificate to the certifi cacerts so that my client certificate chain could be properly sent
3. Manually append my organization's custom CA certificate to cacerts which is used by our internal test server to test mutual TLS

The (Elixir) code looks like this:

def set_ssl_options(host) do
  custom_options = [
    versions: [:"tlsv1.2"],
    certfile: client_certificate_path(),
    keyfile: client_key_path()
  ]

  # 1
  default_hackney_options = :hackney_connect.ssl_opts(host, [])
  merged_options = default_hackney_options ++ custom_options

  # 2
  [{:Certificate, certificate_chain_binary, :not_encrypted}] =
    :public_key.pem_decode(client_intermediate_certificate())

  # 3
  [{:Certificate, custom_ca_binary, :not_encrypted}] =
    :public_key.pem_decode(custom_ca_certificate())

  merged_cacerts = default_hackney_options[:cacerts] ++ [certificate_chain_binary, custom_ca_binary]

  Keyword.put(merged_options, :cacerts, merged_cacerts)
end

I want to clean this up by:

1. Getting hackney to add these default SSL options so I just have to add the options for the client certificate. I know the current behaviour is to override all the default SSL options if you provide your own but I think in some cases it'd still be good to have the default ones
2. Adding a client_chain option that hackney will append to cacerts
3. Adding a custom_ca option that hackney will append to cacerts

What do you think?

[MichaelViveros]

@benoitc

[benoitc]

sorry i didn't see that ticket until know. I am not sure I like to have more options. You may also want later add more options. Maybe an API explicitly manipulating the Client Options would also work in your case?

[MichaelViveros]

Sounds good, something like :hackney_connect.client_ssl_opts(host, certfile, keyfile, client_chain, custom_ca) which will just return the default ssl options + the client ones like my code above? And the last 2 args can be optional.

[benoitc]

why not passing a map?

[MichaelViveros]

True. How would you specify what the possible keys are to the user? Just in the docs? And 2 maps might be best, one for the normal ssl options where you can specify tls version, client cert and key, ... and one for the custom options I’m adding

[benoitc]

hrm I will think a little about it , but yes we may need 2 maps,the default one can be reused directly so passing an atom default should be enough in such case.

[MichaelViveros]

Get a chance to think about it some more? Perhaps it's best if I get started on the PR?

[MichaelViveros]

Does that sound good @benoitc ?