Authenticity is not established by certificate path validation (OTP24)

[pedro-gutierrez]

Describe the bug

When running on OTP24, this SDK produces the following warnings in the shell or console logs:

Description: 'Authenticity is not established by certificate path validation'
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'

Currently there is no way to specify custom ssl options to the ldclient instances, and no default ssl options are passed to the underlying http clients (shotgun and httpc).

To reproduce

1. Setup an Erlang or Elixir project running OTP24.
2. Configure the LaunchDarkly SDK as usual, using a valid SDK key.
3. Run your application and wait a few seconds. As soon as the streaming connection is estabilished via shotgun, you should see the above warning.

Then:

4. Try to fetch a variant for a unknown flag, eg by calling ldclient:variation/4.
5. Wait for events to be flushed (usually after 30s). As soon as events are dispatched to LD via the httpc client, you should see the above warning as well.

Expected behavior

It should be possible to define ssl options to be passed to the underlying http clients, in order to do more strict verification of server certificates and avoid the above SSL related warnings printed by OTP.

SDK version
1.1.1

Language version, developer tools

Erlang/OTP 24 (very important!)

OS/platform

macOS Big Sur and Linux.

Additional context

This is a great presentation that better describes the issue: https://www.youtube.com/watch?v=0jzcPnsE4nQ

[zurab-darkly]

Hi @pedro-gutierrez - thank you for the issue report and the PR. We will look into this.

Filed internally as 120173.

[pedro-gutierrez]

Hey @zurab-darkly I hope all is going well :)
Do you think this ssl thing is a valid concern and the fix I suggested could help solving it ?
Thank u !

[kinyoklion]

@pedro-gutierrez Please check release 1.3.0: #50

[pedro-gutierrez]

Hey @kinyoklion thanks for this.

Here is how I am starting my ldclient:

sdk_key = "..."
opts = %{http_options: %{tls_options: %{ ... }}}
:ldclient.start_instance(sdk_key, opts)

This seems to work. I no longer get OTP's ssl warning and this is great!

However, dialyzer complains with:

 The call ldclient:start_instance
         (_sdk_key@1 :: string(),
          #{'http_options' :=
                #{'tls_options' :=
                      [{'cacertfile', binary() | string()} |
                       {'customize_hostname_check', [{_, _}, ...]} |
                       {'verify', 'verify_peer'},
                       ...]}}) will never return since it differs in the 2nd argument from the success typing arguments: 
         (string(),
          atom() |
          #{'base_uri' => string(),
            'events_capacity' => pos_integer(),
            'events_dispatcher' => atom(),
            'events_flush_interval' => pos_integer(),
            'feature_store' => atom(),
            'inline_users_in_events' => boolean(),
            'offline' => boolean(),
            'polling_interval' => pos_integer(),
            'polling_update_requestor' => atom(),
            'private_attributes' => 'all' | [atom() | binary()],
            'stream' => boolean(),
            'stream_uri' => string(),
            'user_keys_capacity' => pos_integer()})

In order to avoid this dialyzer error I also tried to I register my http_options beforehand with:

:ok = :ldclient_config.register(:default, opts)   

then I call :ldclient.start_instance(sdk_key, :default) but if I do this then my initial http options get removed from the env, and the OTP ssl warning is back.

Any idea what I might be doing wrong?

[kinyoklion]

@pedro-gutierrez It looks like there is a mistake in the typings. You don't seem to be doing anything wrong, and it should function correctly. I've filed an internal ticket for us to resolve this. Thank you, and thanks for letting me know about the issue.

Filed internally as 130423.

[pedro-gutierrez]

Awesome, thank you @kinyoklion. For now I am adding an exception to ignore these warnings in my build.

[kinyoklion]

@pedro-gutierrez 1.3.1 has been published which should resolve your dialyze issue.