Specs

get(String.t()) :: {:ok, binary()} | {:error, any()}

Securely download https content from a URL.

This function uses the built-in :httpc client but enables certificate verification which is not enabled by :httc by default.

See also https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl

Arguments

• url is a binary URL

Returns

• {:ok, body} if the return is successful

• {:error, error} if the download is unsuccessful. An error will also be logged in these cases.

Unsafe HTTPS

If the environment variable CLDR_UNSAFE_HTTPS is set to anything other than FALSE, false, nil or NIL then no peer verification of certificates is performed. Setting this variable is not recommended but may be required is where peer verification for unidentified reasons. Please open an issue if this occurs.

Certificate stores

In order to keep dependencies to a minimum, get/1 attempts to locate an already installed certificate store. It will try to locate a store in the following order which is intended to satisfy most host systems. The certificate store is expected to be a path name on the host system.

# A certificate store configured by the
# developer
Application.get_env(:ex_cldr, :cacertfile)

# Populated if hex package `CAStore` is configured
CAStore.file_path()

# Populated if hex package `certfi` is configured
:certifi.cacertfile()

# Debian/Ubuntu/Gentoo etc.
"/etc/ssl/certs/ca-certificates.crt",

# Fedora/RHEL 6
"/etc/pki/tls/certs/ca-bundle.crt",

# OpenSUSE
"/etc/ssl/ca-bundle.pem",

# OpenELEC
"/etc/pki/tls/cacert.pem",

# CentOS/RHEL 7
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem",

# Open SSL on MacOS
"/usr/local/etc/openssl/cert.pem",

# MacOS & Alpine Linux
"/etc/ssl/cert.pem"