[erlang-questions] HTTPC doesn't do HTTPS validation

Ransom Richardson ransomr@REDACTED
Mon Apr 21 20:58:24 CEST 2014


?verify_none does seem like the default.


Also, even if I pass verify_peer, nothing checks if the host name in the certificate matches the host that I am connecting to. So a server can present any validly signed certificate for a different site.


Ransom


________________________________
From: Benoit Chesneau <bchesneau@REDACTED>
Sent: Saturday, April 19, 2014 12:31 AM
To: Ransom Richardson
Cc: erlang-questions@REDACTED
Subject: Re: [erlang-questions] HTTPC doesn't do HTTPS validation




On Sat, Apr 19, 2014 at 6:17 AM, Ransom Richardson <ransomr@REDACTED<mailto:ransomr@REDACTED>> wrote:

But as I reported in this issue https://github.com/benoitc/hackney/issues/101 I tested against a server with an invalid cert, and hackney did not catch the error. httpc also returned ok.


1> hackney:get(<<"https://localhost:8443/delay">>, [], <<>>, []).
{ok,200,
    [{<<"connection">>,<<"keep-alive">>},
     {<<"server">>,<<"Cowboy">>},
     {<<"date">>,<<"Sat, 19 Apr 2014 00:00:26 GMT">>},
     {<<"content-length">>,<<"0">>}],
    #Ref<0.0.0.111>}

The same happens if I pass validate_peer and the rootCA file as ssl_options.


curl correctly rejects the server:


talko@REDACTED:~/dev/httpcbench$ curl https://localhost:8443/delay
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

talko@REDACTED:~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem https://localhost:8443/delay
curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'


This is using Erlang 17.0. Is it possible that the ssl default changed?


Or am I doing something wrong?


The server I'm testing against is in this repo: https://github.com/talko/httpcbench. It's a work in progress, but if you pull, make and run_server you should see the same issue.


thanks,

Ransom


hrm looks like the default is verify_none:

https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L594

But it's early in the morning and I need more cafe, so...

- benoit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140421/075edde7/attachment.htm>


More information about the erlang-questions mailing list