Trust store: Overwrite conflicting ssl options and ensure cacerts set #15116
+74
−18
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`lists:keymerge/3` was used to merge required options into user provided ssl options, which assumes the input lists are sorted. No matter if the intention was to preserve user provided options or overwrite them in case of conflict, without sorting, the outcome was unpredictable. It is also somewhat surprising to those who are used to the behaviour of `proplists:get_value` that the ssl app (at least since OTP 26) takes the last value not the first when same key with multiple values are provided. This commit makes sure the input lists are ordered. Also changes the behaviour of the plugin that all keys used by the plugin overwrite user provided values (`fail_if_no_peer_cert`, `partial_chain`, `verify`, `verify_fun`) Also if the user did not provide a `cacerts` or `cacertfile` option, an empty `cacerts` list is added, as ssl config validation requires it in case `verify_peer` is enabled.
lukebakken
approved these changes
Dec 11, 2025
michaelklishin
approved these changes
Dec 11, 2025
Merged
12 tasks
michaelklishin
added a commit
that referenced
this pull request
Dec 12, 2025
Trust store: Overwrite conflicting ssl options and ensure cacerts set (backport #15116)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed Changes
Addresses #15103
lists:keymerge/3was used to merge required options into user provided ssl options, which assumes the input lists are sorted. No matter if the intention was to preserve user provided options or overwrite them in case of conflict, without sorting, the outcome was unpredictable. It is also somewhat surprising to those who are used to the behaviour ofproplists:get_value(like me) that the ssl app (at least since OTP 26) takes the last value not the first when same key with multiple values are provided.This commit makes sure the input lists are ordered. Also changes the behaviour of the plugin that all keys used by the plugin overwrite user provided values (
fail_if_no_peer_cert,partial_chain,verify,verify_fun)Also if the user did not provide a
cacertsorcacertfileoption, an emptycacertslist is added, as ssl config validation requires it in caseverify_peeris enabled.Types of Changes
What types of changes does your code introduce to this project?
Put an
xin the boxes that applyChecklist
Put an
xin the boxes that apply.You can also fill these out after creating the PR.
This is simply a reminder of what we are going to look for before merging your code.
CONTRIBUTING.mddocumentFurther Comments