From 5bec0ea733dd905bc693ad997b40e52e206ffdc9 Mon Sep 17 00:00:00 2001
From: zmstone <zmstone@gmail.com>
Date: Wed, 19 Jun 2024 22:30:33 +0200
Subject: [PATCH] feat(ssl): cacert option suppor 'system_defaults'

so the use is not forced to bloat the options with
public_key:cacerts_get()
---
 OTP_VERSION         |  2 +-
 lib/ssl/src/ssl.erl | 30 ++++++++++++++++++++++++++----
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/OTP_VERSION b/OTP_VERSION
index b54695926159..4f52eee7a713 100644
--- a/OTP_VERSION
+++ b/OTP_VERSION
@@ -1 +1 @@
-26.2.5-2
+26.2.5-3
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 76ec7ae5e479..6fe36cc6da0b 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -106,6 +106,9 @@
 %% Tracing
 -export([handle_trace/3]).
 
+%% EMQ fork
+-export([default_cacerts/0]).
+
 -removed({ssl_accept, '_', 
           "use ssl_handshake/1,2,3 instead"}).
 -removed({cipher_suites, 0, 
@@ -461,7 +464,7 @@
 -type client_reuse_session()     :: session_id() | {session_id(), SessionData::binary()}.
 -type client_reuse_sessions()    :: boolean() | save.
 -type client_certificate_authorities()  :: boolean().
--type client_cacerts()           :: [public_key:der_encoded()] | [public_key:combined_cert()].
+-type client_cacerts()           :: system_defaults | [public_key:der_encoded()] | [public_key:combined_cert()].
 -type client_cafile()            :: file:filename().
 -type app_level_protocol()       :: binary().
 -type client_alpn()              :: [app_level_protocol()].
@@ -507,7 +510,7 @@
                                 {early_data, server_early_data()} |
                                 {use_srtp, use_srtp()}.
 
--type server_cacerts()           :: [public_key:der_encoded()] | [public_key:combined_cert()].
+-type server_cacerts()           :: system_defaults | [public_key:der_encoded()] | [public_key:combined_cert()].
 -type server_cafile()            :: file:filename().
 -type server_alpn()              :: [app_level_protocol()].
 -type server_next_protocol()     :: [app_level_protocol()].
@@ -570,6 +573,20 @@
 %%% API
 %%%--------------------------------------------------------------------
 
+%% This function is added in EMQ's OTP fork until the upstream provides a similar solution.
+%% The application code can be implement like:
+%%
+%% default_cacerts() ->
+%%     try
+%%         ssl:default_cacerts()
+%%     catch
+%%         _:_ ->
+%%             public_key:cacerts_get()
+%%     end.
+-spec default_cacerts() -> system_defaults.
+default_cacerts() ->
+    system_defaults.
+
 %%--------------------------------------------------------------------
 %%
 %% Description: Utility function that starts the ssl and applications
@@ -1979,8 +1996,13 @@ check_cert_key(UserOpts, CertKeys, LogLevel) ->
 
 opt_cacerts(UserOpts, #{verify := Verify, log_level := LogLevel, versions := Versions} = Opts,
             #{role := Role}) ->
-    {_, CaCerts} = get_opt_list(cacerts, undefined, UserOpts, Opts),
-
+    CaCerts = case get_opt(cacerts, undefined, UserOpts, Opts) of
+                  {_, system_defaults} ->
+                      public_key:cacerts_get();
+                  _ ->
+                    {_, CaCerts0} = get_opt_list(cacerts, undefined, UserOpts, Opts),
+                    CaCerts0
+              end,
     CaCertFile = case get_opt_file(cacertfile, <<>>, UserOpts, Opts) of
                      {Where1, _FileName} when CaCerts =/= undefined ->
                          warn_override(Where1, UserOpts, cacerts, [cacertfile], LogLevel),