[erlang-questions] HTTPC doesn't do HTTPS validation

Benoit Chesneau bchesneau@REDACTED
Sat Apr 19 05:06:29 CEST 2014


On Sat, Apr 19, 2014 at 2:48 AM, Ransom Richardson <ransomr@REDACTED>wrote:

>  I set up a local test server, that has a cert signed by my own
> self-signed CA cert. Also the CN in the cert is not local host. As
> expected, curl doesn't like this:
>
>
>  talko@REDACTED:~/dev/httpcbench$ curl https://localhost:8443/delay
> curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
>
>  talko@REDACTED:~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem
> https://localhost:8443/delay
> curl: (51) SSL: certificate subject name 'httpcbench server' does not
> match target host name 'localhost'
>
>  However httpc doesn't complain, despite not having the CA cert:
>
>  3> httpc:request("https://localhost:8443/delay").
> {ok,{{"HTTP/1.1",200,"OK"},
>      [{"connection","keep-alive"},
>       {"date","Sat, 19 Apr 2014 00:31:56 GMT"},
>       {"server","Cowboy"},
>       {"content-length","0"}],
>      []}}
>
>  And even if I tell it to verify the peer, it doesn't complain that the
> host name doesn't match the cert:
>
>  6> httpc:request(get, {"https://localhost:8443/delay", []}, [{ssl,
> [{verify, verify_peer}, {cacertfile, "./priv/ssl/rootCA.pem"}]}], []).
> {ok,{{"HTTP/1.1",200,"OK"},
>      [{"connection","keep-alive"},
>       {"date","Sat, 19 Apr 2014 00:36:09 GMT"},
>       {"server","Cowboy"},
>       {"content-length","0"}],
>      []}}
>
>  I actually noticed this when trying to test hackney, which has the same
> behavior as httpc.
>
>  Does anyone know if any of the many other http clients out there do any
> HTTPS validation?
>
>
> I don't know for httpc but hackney doesn't pass any default option to the
ssl socket when you connect in HTTPS. Except if you pass the insecure
option to the request (which provides the same feature you find in curl).

- benoit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140419/a9ca3026/attachment.htm>


More information about the erlang-questions mailing list