From 4364f2a231f783fd91e877f9dad0d4fdef537fbd Mon Sep 17 00:00:00 2001
From: Jacob Quinn <quinn.jacobd@gmail.com>
Date: Fri, 7 Oct 2022 14:06:37 -0600
Subject: [PATCH] Support specifying CA_BUNDLE via env variables (#933)

Fixes #925.
---
 src/ConnectionPool.jl | 14 +++++++++++++-
 test/client.jl        | 11 ++++++++++-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/ConnectionPool.jl b/src/ConnectionPool.jl
index 884fdc615..cc5ef75cf 100644
--- a/src/ConnectionPool.jl
+++ b/src/ConnectionPool.jl
@@ -23,7 +23,7 @@ export Connection, newconnection, releaseconnection, getrawstream, inactivesecon
 
 using Sockets, LoggingExtras, NetworkOptions
 using MbedTLS: SSLConfig, SSLContext, setup!, associate!, hostname!, handshake!
-using OpenSSL
+using MbedTLS, OpenSSL
 using ..IOExtras, ..Conditions, ..Exceptions
 
 const default_connection_limit = 8
@@ -439,6 +439,11 @@ function global_sslconfig(require_ssl_verification::Bool)::SSLConfig
         default_sslconfig = SSLConfig(true)
         noverify_sslconfig = SSLConfig(false)
     end
+    if haskey(ENV, "HTTP_CA_BUNDLE")
+        MbedTLS.ca_chain!(default_sslconfig, MbedTLS.crt_parse(read(ENV["HTTP_CA_BUNDLE"], String)))
+    elseif haskey(ENV, "CURL_CA_BUNDLE")
+        MbedTLS.ca_chain!(default_sslconfig, MbedTLS.crt_parse(read(ENV["CURL_CA_BUNDLE"], String)))
+    end
     return require_ssl_verification ? default_sslconfig : noverify_sslconfig
 end
 
@@ -463,6 +468,13 @@ function getconnection(::Type{SSLStream},
     tcp = getconnection(TCPSocket, host, port; kw...)
     # Create SSL stream.
     ssl_stream = SSLStream(tcp)
+    if isdefined(OpenSSL, :ca_chain!)
+        if haskey(ENV, "HTTP_CA_BUNDLE")
+            OpenSSL.ca_chain!(ssl_stream.ssl_context, ENV["HTTP_CA_BUNDLE"])
+        elseif haskey(ENV, "CURL_CA_BUNDLE")
+            OpenSSL.ca_chain!(ssl_stream.ssl_context, ENV["CURL_CA_BUNDLE"])
+        end
+    end
     OpenSSL.hostname!(ssl_stream, host)
     OpenSSL.connect(ssl_stream)
     return ssl_stream
diff --git a/test/client.jl b/test/client.jl
index ee6065e8a..8d18c88c5 100644
--- a/test/client.jl
+++ b/test/client.jl
@@ -558,7 +558,6 @@ end
 findnewline(bytes) = something(findfirst(==(UInt8('\n')), bytes), 0)
 
 @testset "readuntil on Stream" begin
-
     HTTP.open(:GET, "http://httpbin.org/stream/5") do io
         while !eof(io)
             bytes = readuntil(io, findnewline)
@@ -567,7 +566,17 @@ findnewline(bytes) = something(findfirst(==(UInt8('\n')), bytes), 0)
             @show x
         end
     end
+end
 
+@testset "CA_BUNDEL env" begin
+    resp = withenv("HTTP_CA_BUNDLE" => HTTP.MbedTLS.MozillaCACerts_jll.cacert) do
+        HTTP.get("https://httpbin.org/ip"; socket_type_tls=SSLStream)
+    end
+    @test resp.status == 200
+    resp = withenv("HTTP_CA_BUNDLE" => HTTP.MbedTLS.MozillaCACerts_jll.cacert) do
+        HTTP.get("https://httpbin.org/ip")
+    end
+    @test resp.status == 200
 end
 
 end # module