From bf264e6fc909589ee965723af9d5743c9ac605b5 Mon Sep 17 00:00:00 2001
From: Lois Soto Lopez <lois@84codes.com>
Date: Thu, 10 Oct 2024 13:08:52 +0200
Subject: [PATCH] Provide specific f. to fix client ssl options

Provides a specific function to fix client ssl options, i.e.: apply all
fixes that are applied for TLS listeneres and clients on previous
versions but also sets `cacerts` option to CA certificates obtained by
`public_key:cacerts_get`, only when no `cacertfile` or `cacerts` are
provided.
---
 .../src/amqp10_client_frame_reader.erl        |  3 ++-
 .../src/amqp_network_connection.erl           |  2 +-
 deps/rabbit_common/src/rabbit_ssl_options.erl | 27 +++++++++++++++++++
 .../src/rabbit_auth_backend_http.erl          |  2 +-
 .../src/rabbit_auth_backend_ldap.erl          |  2 +-
 5 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/deps/amqp10_client/src/amqp10_client_frame_reader.erl b/deps/amqp10_client/src/amqp10_client_frame_reader.erl
index 05d8823999b1..364748b16c85 100644
--- a/deps/amqp10_client/src/amqp10_client_frame_reader.erl
+++ b/deps/amqp10_client/src/amqp10_client_frame_reader.erl
@@ -105,7 +105,8 @@ init([Sup, ConnConfig]) when is_map(ConnConfig) ->
             {ok, expecting_connection_pid, State}
     end.
 
-connect(Address, Port, #{tls_opts := {secure_port, Opts}}) ->
+connect(Address, Port, #{tls_opts := {secure_port, Opts0}}) ->
+    Opts = rabbit_ssl_options:fix_client(Opts0),
     case ssl:connect(Address, Port, ?RABBIT_TCP_OPTS ++ Opts) of
       {ok, S} ->
           {ssl, S};
diff --git a/deps/amqp_client/src/amqp_network_connection.erl b/deps/amqp_client/src/amqp_network_connection.erl
index a5ef739ea0f3..33a906819e09 100644
--- a/deps/amqp_client/src/amqp_network_connection.erl
+++ b/deps/amqp_client/src/amqp_network_connection.erl
@@ -137,7 +137,7 @@ do_connect({Addr, Family},
                          [Family | ?RABBIT_TCP_OPTS] ++ ExtraOpts,
                          Timeout) of
         {ok, Sock} ->
-            SslOpts = rabbit_ssl_options:fix(
+            SslOpts = rabbit_ssl_options:fix_client(
                         orddict:to_list(
                           orddict:merge(fun (_, _A, B) -> B end,
                                         orddict:from_list(GlobalSslOpts),
diff --git a/deps/rabbit_common/src/rabbit_ssl_options.erl b/deps/rabbit_common/src/rabbit_ssl_options.erl
index ee0d1b4a3260..71bb70642f05 100644
--- a/deps/rabbit_common/src/rabbit_ssl_options.erl
+++ b/deps/rabbit_common/src/rabbit_ssl_options.erl
@@ -8,6 +8,7 @@
 -module(rabbit_ssl_options).
 
 -export([fix/1]).
+-export([fix_client/1]).
 
 
 -define(BAD_SSL_PROTOCOL_VERSIONS, [
@@ -22,6 +23,32 @@ fix(Config) ->
       fix_ssl_protocol_versions(
         hibernate_after(Config))).
 
+-spec fix_client(rabbit_types:infos()) -> rabbit_types:infos().
+fix_client(Config) ->
+    fix_cacerts(
+        fix(Config)).
+
+fix_cacerts(SslOptsConfig) ->
+    case application:get_env(rabbit, test_enable_cacerts, false) of
+        true ->
+            CACerts = proplists:get_value(cacerts, SslOptsConfig, undefined),
+            CACertfile = proplists:get_value(cacertfile, SslOptsConfig, undefined),
+            case {CACerts, CACertfile} of
+                {undefined, undefined} ->
+                    try public_key:cacerts_get() of
+                        CaCerts ->
+                            [{cacerts, CaCerts} | SslOptsConfig]
+                    catch
+                        _ -> 
+                            SslOptsConfig
+                    end;
+                _CaCerts ->
+                    SslOptsConfig
+            end;
+        _ ->
+            SslOptsConfig
+    end.
+
 fix_verify_fun(SslOptsConfig) ->
     %% Starting with ssl 4.0.1 in Erlang R14B, the verify_fun function
     %% takes 3 arguments and returns a tuple.
diff --git a/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl b/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl
index c61aceeb8983..43f288f53129 100644
--- a/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl
+++ b/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl
@@ -205,7 +205,7 @@ do_http_req(Path0, Query) ->
 ssl_options() ->
     case application:get_env(rabbitmq_auth_backend_http, ssl_options) of
         {ok, Opts0} when is_list(Opts0) ->
-            Opts1 = [{ssl, rabbit_networking:fix_ssl_options(Opts0)}],            
+            Opts1 = [{ssl, rabbit_ssl_options:fix_client(Opts0)}],            
             case application:get_env(rabbitmq_auth_backend_http, ssl_hostname_verification) of
                 {ok, wildcard} ->
                     rabbit_log:debug("Enabling wildcard-aware hostname verification for HTTP client connections"),
diff --git a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
index bba6767a3ce4..ec6ca0098473 100644
--- a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
+++ b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
@@ -761,7 +761,7 @@ ssl_conf() ->
     end.
 
 ssl_options() ->
-    Opts0 = rabbit_networking:fix_ssl_options(env(ssl_options)),
+    Opts0 = rabbit_ssl_options:fix_client(env(ssl_options)),
     case env(ssl_hostname_verification, undefined) of
         wildcard ->
             rabbit_log_ldap:debug("Enabling wildcard-aware hostname verification for LDAP client connections"),