[erlang-questions] HTTPC doesn't do HTTPS validation
Benoit Chesneau
bchesneau@REDACTED
Sat Apr 19 06:08:47 CEST 2014
On Sat, Apr 19, 2014 at 6:02 AM, Ransom Richardson <ransomr@REDACTED>wrote:
> What I am seeing is that it is insecure by default (both httpc and
> hackney). I also don't see a way to make it secure.
>
There is no such default in hackney:
https://github.com/benoitc/hackney/blob/master/src/hackney_connect.erl#L201
>
> Is there an option that I can pass that will cause it to validate that
> the cert matches the host?
>
Using the validate_fun function probably.
> Is there an easier way to turn on validation than passing [{validate,
> validate_peer}, {cacertfile, ...}] on every request?
>
>
> It never even occurred to me that an http client would be insecure by
> default when connecting over https.
>
it isn't. A lot were.
- benoit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140419/0019661a/attachment.htm>
More information about the erlang-questions
mailing list