[erlang-questions] HTTPC doesn't do HTTPS validation

Ransom Richardson <>
Sat Apr 19 06:02:47 CEST 2014


What I am seeing is that it is insecure by default (both httpc and hackney). I also don't see a way to make it secure.


Is there an option that I can pass that will cause it to validate that the cert matches the host?


Is there an easier way to turn on validation than passing [{validate, validate_peer}, {cacertfile, ...}] on every request?


It never even occurred to me that an http client would be insecure by default when connecting over https.


thanks,

Ransom

________________________________
From: Benoit Chesneau <>
Sent: Friday, April 18, 2014 11:06 PM
To: Ransom Richardson
Cc: 
Subject: Re: [erlang-questions] HTTPC doesn't do HTTPS validation




On Sat, Apr 19, 2014 at 2:48 AM, Ransom Richardson <<mailto:>> wrote:

I set up a local test server, that has a cert signed by my own self-signed CA cert. Also the CN in the cert is not local host. As expected, curl doesn't like this:


:~/dev/httpcbench$ curl https://localhost:8443/delay
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

:~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem https://localhost:8443/delay
curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'

However httpc doesn't complain, despite not having the CA cert:

3> httpc:request("https://localhost:8443/delay").
{ok,{{"HTTP/1.1",200,"OK"},
     [{"connection","keep-alive"},
      {"date","Sat, 19 Apr 2014 00:31:56 GMT"},
      {"server","Cowboy"},
      {"content-length","0"}],
     []}}

And even if I tell it to verify the peer, it doesn't complain that the host name doesn't match the cert:

6> httpc:request(get, {"https://localhost:8443/delay", []}, [{ssl, [{verify, verify_peer}, {cacertfile, "./priv/ssl/rootCA.pem"}]}], []).
{ok,{{"HTTP/1.1",200,"OK"},
     [{"connection","keep-alive"},
      {"date","Sat, 19 Apr 2014 00:36:09 GMT"},
      {"server","Cowboy"},
      {"content-length","0"}],
     []}}

I actually noticed this when trying to test hackney, which has the same behavior as httpc.

Does anyone know if any of the many other http clients out there do any HTTPS validation?


I don't know for httpc but hackney doesn't pass any default option to the ssl socket when you connect in HTTPS. Except if you pass the insecure option to the request (which provides the same feature you find in curl).

- benoit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140419/0c15eeca/attachment.html>


More information about the erlang-questions mailing list