←back to thread

Stop Breaking TLS

(www.markround.com)
170 points todsacerdoti | 1 comments | 10 Dec 25 07:06 UTC | HN request time: 0s | source
Show context
gschizas ◴[10 Dec 25 09:31 UTC] No.46215801[source]
The fact that most tools have completely different ways to allow them to add certificates is the biggest pain. Git, Python and Rust also have large issues. Git doesn't default to "http.schannel". Python (or rather requests, or maybe urllib3) only looks at its own certificate store, and I have no idea how Rust does this (well, I use uv, and it has its own problems - I know about the --use-native-tls flag, but it should be a default at the least).
replies(5): >>46215828 #>>46215876 #>>46216017 #>>46216074 #>>46216859 #
1. nikanj ◴[10 Dec 25 09:37 UTC] No.46215828[source]
And many things break in different, exciting ways. For example, we discovered that whilst the JVM can be configured to use system certificate store, that does not apply to websocket connections. So the product seems to be able to connect to the server, but all socket connections bork out with TLS errors.

Fun!

And so many of those products deliver broken chains, and your client needs to download more certificates transparently ( https://systemweakness.com/the-hidden-jvm-flag-that-instantl... )

Double the fun!