From 00e617b66080c0d7d664c12148037867984870a0 Mon Sep 17 00:00:00 2001 From: Robert Newson Date: Mon, 29 Jun 2026 15:58:17 +0100 Subject: [PATCH] nouveau: always use cacertfile if specified; explicit peer verification Unless client certificates are used the cacertfile setting is ignored. There are legitimate reasons you might want to specify the allowed CA certificates without using client certificates, so always set this. Erlang 26 and above uses verify_peer by default but it doesn't hurt to be explicit. The new ssl_verify also allowes the ability to disable peer verification which might be useful in dev and testing environments. --- rel/overlay/etc/default.ini | 3 +++ src/nouveau/src/nouveau_gun.erl | 19 ++++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini index aac8ff5845d..9a50fae462a 100644 --- a/rel/overlay/etc/default.ini +++ b/rel/overlay/etc/default.ini @@ -1075,6 +1075,9 @@ url = {{nouveau_url}} ; Path to file containing CA certificate for the remote nouveau server (optional). ;ssl_cacert_file = +; Verify peers +;ssl_verify = true + [disk_monitor] ;enable = false ;background_view_indexing_threshold = 80 diff --git a/src/nouveau/src/nouveau_gun.erl b/src/nouveau/src/nouveau_gun.erl index 75792465b4e..900d42bd5b1 100644 --- a/src/nouveau/src/nouveau_gun.erl +++ b/src/nouveau/src/nouveau_gun.erl @@ -129,8 +129,16 @@ start_gun(URL) -> KeyFile = config:get("nouveau", "ssl_key_file"), CertFile = config:get("nouveau", "ssl_cert_file"), Password = config:get("nouveau", "ssl_password"), + Verify = verify(config:get_boolean("nouveau", "ssl_verify", true)), Transport = scheme_to_transport(Scheme), BaseConnOptions = #{transport => Transport, protocols => [http2]}, + BaseTLSOptions = + if + CACertFile /= undefined -> + [{verify, Verify}, {cacertfile, CACertFile}]; + true -> + [{verify, Verify}] + end, ConnOptions = if Transport == tls andalso KeyFile /= undefined andalso CertFile /= undefined -> @@ -142,7 +150,11 @@ start_gun(URL) -> }, CertKeyConf1 = maps:filter(fun remove_undefined/2, CertKeyConf0), BaseConnOptions#{ - tls_opts => [{certs_keys, [CertKeyConf1]}] + tls_opts => [{certs_keys, [CertKeyConf1]} | BaseTLSOptions] + }; + Transport == tls -> + BaseConnOptions#{ + tls_opts => BaseTLSOptions }; true -> BaseConnOptions @@ -160,3 +172,8 @@ scheme_to_transport("http") -> tcp; scheme_to_transport("https") -> tls. + +verify(false) -> + verify_none; +verify(true) -> + verify_peer.