From 8443defbf9dafc9cc2b82352e9806c2e143345d5 Mon Sep 17 00:00:00 2001
From: Hannes Mehnert <hannes@mehnert.org>
Date: Mon, 12 Oct 2020 20:26:54 +0200
Subject: [PATCH] cohttp-lwt-unix: use ca-certs, authenticate client
 connections

---
 cohttp-lwt-unix.opam       | 1 +
 cohttp-lwt-unix/src/dune   | 2 +-
 cohttp-lwt-unix/src/net.ml | 5 ++++-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/cohttp-lwt-unix.opam b/cohttp-lwt-unix.opam
index 26092d92df..96c40b7ea8 100644
--- a/cohttp-lwt-unix.opam
+++ b/cohttp-lwt-unix.opam
@@ -29,6 +29,7 @@ depends: [
   "dune" {>= "1.1.0"}
   "conduit-lwt" {>= "1.0.3"}
   "conduit-lwt-tls"
+  "ca-certs"
   "cmdliner"
   "magic-mime"
   "logs"
diff --git a/cohttp-lwt-unix/src/dune b/cohttp-lwt-unix/src/dune
index 04c607ccec..3e3cd05689 100644
--- a/cohttp-lwt-unix/src/dune
+++ b/cohttp-lwt-unix/src/dune
@@ -5,4 +5,4 @@
  (preprocess
   (pps ppx_sexp_conv))
  (libraries fmt logs logs.lwt conduit-lwt conduit-lwt-tls magic-mime lwt.unix
-   cohttp cohttp-lwt))
+   ca-certs cohttp cohttp-lwt))
diff --git a/cohttp-lwt-unix/src/net.ml b/cohttp-lwt-unix/src/net.ml
index be47a7ffcd..180b2b8d6e 100644
--- a/cohttp-lwt-unix/src/net.ml
+++ b/cohttp-lwt-unix/src/net.ml
@@ -23,7 +23,10 @@ module IO = Io
 
 type ctx = (Conduit.resolvers[@sexp.opaque]) [@@deriving sexp]
 
-let authenticator ~host:_ _ = Ok None
+let authenticator =
+  match Ca_certs.authenticator () with
+  | Ok a -> a
+  | Error (`Msg msg) -> failwith msg
 
 let tls_config =
   Tls.Config.client ~authenticator ()