Respect `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT`

[rwp0]

Now that HTTP::Tiny enables SSL certificate verification by default, maybe it's time to remove the explicit option in code?

So we can use the $ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} environment variable in development mode?

The explicit check prevents the usage of the environment variable as documented below:

$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} - Changes the default certificate verification behavior to not check server identity if set to 1. Only effective if verify_SSL is not set. Added in version 0.083.

Changes mentions:

GitLab-API-v4/Changes

Line 18 in 4f31181

- Add verify_SSL=>1 to HTTP::Tiny to verify https server identity.

 - Add verify_SSL=>1 to HTTP::Tiny to verify https server identity.

And we have in place:

https://github.com/search?q=repo%3Abluefeet%2FGitLab-API-v4%20verify_SSL&type=code

But then, if this option is present in the constructor, there's (absolutely) no way to do "insecure" connection in development settings apart from manually patching/modifying the PM files to remove this argument from the new constructor.

Many times it's not the developers who set up the "insecure" GitLab instances, developers just need to connect to what's already available.

So please make it possible, not by default, but optionally, by the way of setting the environment variable above following the HTTP::Tiny settings.

Thanks

[rwp0]

For me, modifying this line inside the _build_http_tiny private method worked:

GitLab-API-v4/lib/GitLab/API/v4/RESTClient.pm

Line 111 in 4f31181

return HTTP::Tiny->new( verify_SSL => 1 );

Tried to set the environment variable initially which failed, and then had to discover what's wrong debugging my script (using Devel-Camelcadedb).

[openstrike]

It should probably have a version check on HTTP::Tiny to ensure it is at least 0.083 before removing the explicit setting of verify_SSL. But otherwise, I agree that this is a reasonable request.