[erlang-questions] HTTPC doesn't do HTTPS validation

Sat Apr 19 06:17:43 CEST 2014

But as I reported in this issue https://github.com/benoitc/hackney/issues/101 I tested against a server with an invalid cert, and hackney did not catch the error. httpc also returned ok.

1> hackney:get(<<"https://localhost:8443/delay">>, [], <<>>, []).
{ok,200,
    [{<<"connection">>,<<"keep-alive">>},
     {<<"server">>,<<"Cowboy">>},
     {<<"date">>,<<"Sat, 19 Apr 2014 00:00:26 GMT">>},
     {<<"content-length">>,<<"0">>}],
    #Ref<0.0.0.111>}

The same happens if I pass validate_peer and the rootCA file as ssl_options.

curl correctly rejects the server:

talko@REDACTED:~/dev/httpcbench$ curl https://localhost:8443/delay
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

talko@REDACTED:~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem https://localhost:8443/delay
curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'

This is using Erlang 17.0. Is it possible that the ssl default changed?

Or am I doing something wrong?

The server I'm testing against is in this repo: https://github.com/talko/httpcbench. It's a work in progress, but if you pull, make and run_server you should see the same issue.

thanks,

Ransom

________________________________
From: Benoit Chesneau <bchesneau@REDACTED>
Sent: Saturday, April 19, 2014 12:08 AM
To: Ransom Richardson
Cc: erlang-questions@REDACTED
Subject: Re: [erlang-questions] HTTPC doesn't do HTTPS validation

On Sat, Apr 19, 2014 at 6:02 AM, Ransom Richardson <ransomr@REDACTED<mailto:ransomr@REDACTED>> wrote:

What I am seeing is that it is insecure by default (both httpc and hackney). I also don't see a way to make it secure.

There is no such default in hackney:

https://github.com/benoitc/hackney/blob/master/src/hackney_connect.erl#L201

Is there an option that I can pass that will cause it to validate that the cert matches the host?

Using the validate_fun function probably.

Is there an easier way to turn on validation than passing [{validate, validate_peer}, {cacertfile, ...}] on every request?

It never even occurred to me that an http client would be insecure by default when connecting over https.

it isn't. A lot were.

- benoit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140419/6351a8ae/attachment.htm>