Add warning about pre-OTP25 support for SSLConnect

Signed-off-by: Connor Rigby <[email protected]>
nerves-networking · May 2, 2024 · 6be5110 · 6be5110
1 parent 09f8614
commit 6be5110
Showing 1 changed file with 19 additions and 6 deletions.
diff --git a/lib/vintage_net/connectivity/ssl_connect.ex b/lib/vintage_net/connectivity/ssl_connect.ex
@@ -9,6 +9,7 @@ defmodule VintageNet.Connectivity.SSLConnect do
 
   import VintageNet.Connectivity.TCPPing, only: [get_interface_address: 2]
   alias VintageNet.Connectivity.HostList
+  require Logger
 
   @connect_timeout 5_000
 
@@ -30,12 +31,7 @@ defmodule VintageNet.Connectivity.SSLConnect do
            :ssl.connect(
              to_charlist(host),
              port,
-             [
-               verify: :verify_peer,
-               cacerts: :public_key.cacerts_get(),
-               active: false,
-               ip: src_ip
-             ],
+             connect_opts(src_ip),
              @connect_timeout
            ) do
       _ = :ssl.close(ssl)
@@ -48,4 +44,21 @@ defmodule VintageNet.Connectivity.SSLConnect do
         {:error, posix_error}
     end
   end
+
+  defp connect_opts(src_ip) do
+    base = [
+      verify: :verify_peer,
+      active: false,
+      ip: src_ip
+    ]
+
+    if Code.ensure_loaded?(:public_key) and function_exported?(:public_key, :cacerts_get, 0) do
+      cacerts = apply(:public_key, :cacerts_get, [])
+      Keyword.put(base, :cacerts, cacerts)
+    else
+      Logger.warning("SSLConnect support on OTP 24 is limited due to lack of cacerts")
+      # remove the verify_peer option, since we don't have CA certs
+      Keyword.delete(base, :verify)
+    end
+  end
 end