[erlang-questions] HTTPC doesn't do HTTPS validation

Benoit Chesneau <>
Sat Apr 19 06:08:47 CEST 2014


On Sat, Apr 19, 2014 at 6:02 AM, Ransom Richardson <>wrote:

>  What I am seeing is that it is insecure by default (both httpc and
> hackney). I also don't see a way to make it secure.
>

There is no such default in hackney:

https://github.com/benoitc/hackney/blob/master/src/hackney_connect.erl#L201



>
>  Is there an option that I can pass that will cause it to validate that
> the cert matches the host?
>

Using the validate_fun function probably.

>  Is there an easier way to turn on validation than passing [{validate,
> validate_peer}, {cacertfile, ...}] on every request?
>
>
>  It never even occurred to me that an http client would be insecure by
> default when connecting over https.
>

it isn't. A lot were.

- benoit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140419/0019661a/attachment.html>


More information about the erlang-questions mailing list