[erlang-questions] HTTPC doesn't do HTTPS validation

Ransom Richardson <>
Mon Apr 21 23:56:20 CEST 2014


Thanks, it looks like that would work, and I also don't see an easier way.


But I'm still shocked that to make a https request in Erlang that verifies that the server cert matches the URL, I need to define my own verify function. And I need to pass a bunch of ssl options on each request - presumably one of which is platform dependent (the list of root CA certs). All to do something that curl does by default.


For the record, I've tested httpc, lhttpc, ibrowse and hackney, and none of them actually verify the server has a certificate for the URL they are connecting to.

?

________________________________
From: Alexei Sholik <>
Sent: Monday, April 21, 2014 4:55 PM
To: Ransom Richardson
Cc: Benoit Chesneau; 
Subject: Re: [erlang-questions] HTTPC doesn't do HTTPS validation

Ransom, if you look at the code closely, you'll see that it uses UserVerifyFun (undefined by default) for the verification.

There is also fail_if_no_peer_cert option which is set to false by default.

https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L589


On Mon, Apr 21, 2014 at 9:58 PM, Ransom Richardson <<mailto:>> wrote:

?verify_none does seem like the default.


Also, even if I pass verify_peer, nothing checks if the host name in the certificate matches the host that I am connecting to. So a server can present any validly signed certificate for a different site.


Ransom


________________________________
From: Benoit Chesneau <<mailto:>>
Sent: Saturday, April 19, 2014 12:31 AM

To: Ransom Richardson
Cc: <mailto:>
Subject: Re: [erlang-questions] HTTPC doesn't do HTTPS validation




On Sat, Apr 19, 2014 at 6:17 AM, Ransom Richardson <<mailto:>> wrote:

But as I reported in this issue https://github.com/benoitc/hackney/issues/101 I tested against a server with an invalid cert, and hackney did not catch the error. httpc also returned ok.


1> hackney:get(<<"https://localhost:8443/delay">>, [], <<>>, []).
{ok,200,
    [{<<"connection">>,<<"keep-alive">>},
     {<<"server">>,<<"Cowboy">>},
     {<<"date">>,<<"Sat, 19 Apr 2014 00:00:26 GMT">>},
     {<<"content-length">>,<<"0">>}],
    #Ref<0.0.0.111>}

The same happens if I pass validate_peer and the rootCA file as ssl_options.


curl correctly rejects the server:


:~/dev/httpcbench$ curl https://localhost:8443/delay
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

:~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem https://localhost:8443/delay
curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'


This is using Erlang 17.0. Is it possible that the ssl default changed?


Or am I doing something wrong?


The server I'm testing against is in this repo: https://github.com/talko/httpcbench. It's a work in progress, but if you pull, make and run_server you should see the same issue.


thanks,

Ransom


hrm looks like the default is verify_none:

https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L594

But it's early in the morning and I need more cafe, so...

- benoit

_______________________________________________
erlang-questions mailing list
<mailto:>
http://erlang.org/mailman/listinfo/erlang-questions




--
Best regards
Alexei Sholik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140421/aa63861d/attachment.html>


More information about the erlang-questions mailing list