From b2dc6ccf7f48dd8d52ece8359e363322dbb9b595 Mon Sep 17 00:00:00 2001
From: Sebastien Merle <sebastien.merle@stritzinger.com>
Date: Tue, 11 Nov 2025 14:30:12 +0100
Subject: [PATCH] Move allow_expired_certs to grisp_keychain

---
 README.md                    | 12 ++++++++++++
 rebar.config                 |  2 +-
 rebar.lock                   |  4 ++++
 src/grisp_connect_client.erl |  8 +-------
 src/grisp_connect_crypto.erl | 15 ---------------
 5 files changed, 18 insertions(+), 23 deletions(-)

diff --git a/README.md b/README.md
index dcabc2f..8052bd4 100644
--- a/README.md
+++ b/README.md
@@ -196,6 +196,18 @@ Note: we do not depend on `certifi`, make sure it is added to your deps in case
 
 `grisp_connect` will ignore `cert_expired` errors during certificate path validation. This should only be used for development. Default is `false`.
 
+```erlang
+    % Example sys.config
+    [
+        ...
+        {grisp_keychain, [
+            ...
+            {allow_expired_certs, true},
+            ...
+        ]}
+    ]
+```
+
 ## See all Logs on GRiSP.io
 
 Once this app is started, it forwards all logs to GRiSP.io without the need of setting up anything. The only logs that we do not catch are the ones generated before `grisp_connect` boots.
diff --git a/rebar.config b/rebar.config
index 6f9ae3b..bc52912 100644
--- a/rebar.config
+++ b/rebar.config
@@ -2,7 +2,7 @@
 {deps, [
   jsx,
   jarl,
-  grisp_keychain
+  {grisp_keychain, {git, "https://github.com/grisp/grisp_keychain.git", {branch, "sylane/add-allow-expired-certs"}}}
 ]}.
 
 {plugins, [rebar3_grisp, rebar3_ex_doc]}.
diff --git a/rebar.lock b/rebar.lock
index 0c466fa..6efd856 100644
--- a/rebar.lock
+++ b/rebar.lock
@@ -1,5 +1,9 @@
 {"1.2.0",
 [{<<"cowlib">>,{pkg,<<"cowlib">>,<<"2.13.0">>},2},
+ {<<"grisp_keychain">>,
+  {git,"https://github.com/grisp/grisp_keychain.git",
+       {ref,"e63f917ee771acb3fe6b7e1eacbaea8c175d76f5"}},
+  0},
  {<<"gun">>,{pkg,<<"gun">>,<<"2.1.0">>},1},
  {<<"jarl">>,{pkg,<<"jarl">>,<<"1.1.0">>},0},
  {<<"jsx">>,{pkg,<<"jsx">>,<<"3.1.0">>},0}]}.
diff --git a/src/grisp_connect_client.erl b/src/grisp_connect_client.erl
index 71f2c57..54c491a 100644
--- a/src/grisp_connect_client.erl
+++ b/src/grisp_connect_client.erl
@@ -404,10 +404,4 @@ conn_error(Data, Code, Message, ErData, ReqRef) ->
     conn_error(Data, Code, Message, BinErData, ReqRef).
 
 tls_options(Domain) ->
-    ExtraOpts = case application:get_env(grisp_connect, allow_expired_certs) of
-        {ok, false} -> [];
-        {ok, true} ->
-            [{verify_fun,
-                {fun grisp_connect_crypto:skip_cert_expired/3, []}}]
-    end,
-    grisp_keychain:tls_options(Domain) ++ ExtraOpts.
+    grisp_keychain:tls_options(Domain).
diff --git a/src/grisp_connect_crypto.erl b/src/grisp_connect_crypto.erl
index 7977491..9086374 100644
--- a/src/grisp_connect_crypto.erl
+++ b/src/grisp_connect_crypto.erl
@@ -9,7 +9,6 @@
 
 % API functions
 -export([verify_server/3]).
--export([skip_cert_expired/3]).
 
 
 %--- API Functions -------------------------------------------------------------
@@ -29,17 +28,3 @@ verify_server(OtpCert, _Event, _State) ->
         true -> {valid, Hash};
         false -> {fail, not_allowed}
     end.
-
--doc """
-Identical to the default verify_fun, but ignores the cert_expired failure.
-""".
-skip_cert_expired(_, {bad_cert, cert_expired}, UserState) ->
-    {valid, UserState};
-skip_cert_expired(_, {bad_cert, _} = Reason, _) ->
-    {fail, Reason};
-skip_cert_expired(_, {extension, _}, UserState) ->
-    {unknown, UserState};
-skip_cert_expired(_, valid, UserState) ->
-    {valid, UserState};
-skip_cert_expired(_, valid_peer, UserState) ->
-    {valid, UserState}.