[erlang-questions] HTTPC doesn't do HTTPS validation

[Ransom Richardson]

I set up a local test server, that has a cert signed by my own self-signed CA cert. Also the CN in the cert is not local host. As expected, curl doesn't like this:


talko@REDACTED:~/dev/httpcbench$ curl https://localhost:8443/delay
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

talko@REDACTED:~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem https://localhost:8443/delay
curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'

However httpc doesn't complain, despite not having the CA cert:

3> httpc:request("https://localhost:8443/delay").
{ok,{{"HTTP/1.1",200,"OK"},
     [{"connection","keep-alive"},
      {"date","Sat, 19 Apr 2014 00:31:56 GMT"},
      {"server","Cowboy"},
      {"content-length","0"}],
     []}}

And even if I tell it to verify the peer, it doesn't complain that the host name doesn't match the cert:

6> httpc:request(get, {"https://localhost:8443/delay", []}, [{ssl, [{verify, verify_peer}, {cacertfile, "./priv/ssl/rootCA.pem"}]}], []).
{ok,{{"HTTP/1.1",200,"OK"},
     [{"connection","keep-alive"},
      {"date","Sat, 19 Apr 2014 00:36:09 GMT"},
      {"server","Cowboy"},
      {"content-length","0"}],
     []}}

I actually noticed this when trying to test hackney, which has the same behavior as httpc.

Does anyone know if any of the many other http clients out there do any HTTPS validation?

thanks,
Ransom

?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140419/ebfd9fcf/attachment.htm>