TLS options can be set via the :ssl option, which should be passed a hash. This hash will be passed (almost) unchanged to the corresponding openssl OpenSSL::SSL::SSLContext, so it’ll accept :ssl_version, :verify_mode, :ca_path, as well as all the other usual parameters you’d set yourself if you’d be establishing the OpenSSL::SSL::SSLSocket yourself.
As an example, this is how you can disable server certificate verification:
HTTPX.get("https://self-signed.badssl.com/")
#=> #<HTTPX::ErrorResponse:0x00007fc9fd8850a8
# @error=#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0
# state=error: certificate verify failed (self signed certificate)>, ....
# for one request
HTTPX.get("https://self-signed.badssl.com/", ssl: { verify_mode: OpenSSL::SSL::VERIFY_NONE })
#=> #<Response:5380 HTTP/1.1 @status=200 @headers={"server"=>["nginx/1.10.3 (Ubuntu)"], ....
# or if you'd like it to apply for all requests from a session:
http = HTTPX.plugin(:cookies).with(ssl: { verify_mode: OpenSSL::SSL::VERIFY_NONE })
http.get("https://self-signed.badssl.com/") #=> #<Response:5380 HTTP/1.1 @status=200
http.get("https://self-signed.badssl.com/") #=> #<Response:5400 HTTP/1.1 @status=200
When passed an https URL with an IP address, httpx will bypass SNI, but it will still perform TLS certificate SAN verification.
HTTPX.get("https://172.45.65.131:5647/") #=> works if the server TLS certificate contains 172.45.65.131 in SAN extensions
https://www.cloudflare.com/learning/ssl/what-is-sni/
httpx will automatically set the given URL hostname as the domain to be used for Server Name Indication.
If you need to override this somehow (as in, to complete the TLS handshake with a proxy while indicating a server downstream via Host header), you can pass :hostname):
HTTPX.get("https://172.45.65.131:5647/", ssl: { hostname: "proxy-ssl" }, headers: { "host" => "subapp.com:5647" })
Next: Timeouts