[erlang-questions] HTTPC doesn't do HTTPS validation

Alexei Sholik <>
Mon Apr 21 22:55:30 CEST 2014


Ransom, if you look at the code closely, you'll see that it uses
UserVerifyFun (undefined by default) for the verification.

There is also fail_if_no_peer_cert option which is set to false by default.

https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L589


On Mon, Apr 21, 2014 at 9:58 PM, Ransom Richardson <>wrote:

>  ​verify_none does seem like the default.
>
>
>  Also, even if I pass verify_peer, nothing checks if the host name in the
> certificate matches the host that I am connecting to. So a server can
> present any validly signed certificate for a different site.
>
>
>  Ransom
>
>
>  ------------------------------
> *From:* Benoit Chesneau <>
> *Sent:* Saturday, April 19, 2014 12:31 AM
>
> *To:* Ransom Richardson
> *Cc:* 
> *Subject:* Re: [erlang-questions] HTTPC doesn't do HTTPS validation
>
>
>
>
> On Sat, Apr 19, 2014 at 6:17 AM, Ransom Richardson <>wrote:
>
>>  But as I reported in this issue
>> https://github.com/benoitc/hackney/issues/101 I tested against a server
>> with an invalid cert, and hackney did not catch the error. httpc also
>> returned ok.
>>
>>
>>  1> hackney:get(<<"https://localhost:8443/delay">>, [], <<>>, []).
>> {ok,200,
>>     [{<<"connection">>,<<"keep-alive">>},
>>      {<<"server">>,<<"Cowboy">>},
>>      {<<"date">>,<<"Sat, 19 Apr 2014 00:00:26 GMT">>},
>>      {<<"content-length">>,<<"0">>}],
>>     #Ref<0.0.0.111>}
>>
>> The same happens if I pass validate_peer and the rootCA file as
>> ssl_options.
>>
>>
>>  curl correctly rejects the server:
>>
>>
>>  :~/dev/httpcbench$ curl https://localhost:8443/delay
>> curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>
>> :~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem https://localhost:8443/delay
>> curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'
>>
>>
>>  This is using Erlang 17.0. Is it possible that the ssl default changed?
>>
>>
>>  Or am I doing something wrong?
>>
>>
>>  The server I'm testing against is in this repo:
>> https://github.com/talko/httpcbench. It's a work in progress, but if you
>> pull, make and run_server you should see the same issue.
>>
>>
>>  thanks,
>>
>> Ransom
>>
>>
>>
>  hrm looks like the default is verify_none:
>
>  https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L594
>
>  But it's early in the morning and I need more cafe, so...
>
>  - benoit
>
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions
>
>


-- 
Best regards
Alexei Sholik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140421/9a8f0300/attachment.html>


More information about the erlang-questions mailing list