TLS options can be set via the :ssl option, which should be passed a hash. This hash will be passed (almost) unchanged to the corresponding openssl OpenSSL::SSL::SSLContext, so it’ll accept :ssl_version, :verify_mode, :ca_path, and all the other usual parameters you’d set yourself if you’d be establishing the OpenSSL::SSL::SSLSocket yourself.
As an example, this is how you’d disable server certificate verification:
HTTPX.get("https://self-signed.badssl.com/")
#=> #<HTTPX::ErrorResponse:0x00007fc9fd8850a8
@error=#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)>, ....
# for one request
HTTPX.get("https://self-signed.badssl.com/", ssl: {verify_mode: OpenSSL::SSL::VERIFY_NONE})
#=> #<Response:5380 HTTP/1.1 @status=200 @headers={"server"=>["nginx/1.10.3 (Ubuntu)"], ....
# or if you'd like it to apply for all requests from a session:
http = HTTPX.plugin(:cookies).with(ssl: {verify_mode: OpenSSL::SSL::VERIFY_NONE})
http.get("https://self-signed.badssl.com/") #=> #<Response:5380 HTTP/1.1 @status=200
http.get("https://self-signed.badssl.com/") #=> #<Response:5400 HTTP/1.1 @status=200
https://www.keycdn.com/support/alpn
The :alpn_protocols option will be (if supported) set to %w[h2 http/1.1] by default, which is what allows seamless HTTP/2 over TLS.
(Note: httpx does not support :npn_protocols by default. As long as the underlying openssl lib allows it, you can pass it as an additional option though.)
https://www.cloudflare.com/learning/ssl/what-is-sni/
httpx will automatically set the given URL hostname as the domain to be used for Server Name Indication.
If you need to override this somehow (as in, to complete the TLS handshake with a proxy while indicating a server downstream via Host header), you can pass :hostname):
HTTPX.("https://172.45.65.131:5647/", ssl: {hostname: "proxy-ssl"}, headers: {"host": "subapp.com:5647"})
Next: Timeouts