[erlang-questions] HTTPC doesn't do HTTPS validation

Loïc Hoguin <>
Tue Apr 22 00:07:46 CEST 2014


You're partly wrong about curl, curl only can check the CA certs if they 
are installed. It just happens that if they are installed curl is 
generally configured to find them automatically (by the OS' package 
maintainers usually). If they are not installed, then curl rejects 
pretty much everything, which is neither better nor worse than accepting 
everything (I wouldn't want either to do things differently than they do 
now though).

I agree though that there should be a simple option to do the usual 
stuff, aka "what browsers and command-line clients do", that would take 
care of 99% of use cases without needing to spend an hour setting the 
thing up. Just set the verify_it_properly option, pass the CA certs, done.

On 04/21/2014 11:56 PM, Ransom Richardson wrote:
> Thanks, it looks like that would work, and I also don't see an easier way.
>
>
> But I'm still shocked that to make a https request in Erlang that
> verifies that the server cert matches the URL, I need to define my own
> verify function. And I need to pass a bunch of ssl options on each
> request - presumably one of which is platform dependent (the list of
> root CA certs). All to do something that curl does by default.
>
>
> For the record, I've tested httpc, lhttpc, ibrowse and hackney, and none
> of them actually verify the server has a certificate for the URL they
> are connecting to.
>
>>
> ------------------------------------------------------------------------
> *From:* Alexei Sholik <>
> *Sent:* Monday, April 21, 2014 4:55 PM
> *To:* Ransom Richardson
> *Cc:* Benoit Chesneau; 
> *Subject:* Re: [erlang-questions] HTTPC doesn't do HTTPS validation
> Ransom, if you look at the code closely, you'll see that it uses
> UserVerifyFun (undefined by default) for the verification.
>
> There is also fail_if_no_peer_cert option which is set to false by default.
>
> https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L589
>
>
> On Mon, Apr 21, 2014 at 9:58 PM, Ransom Richardson <
> <mailto:>> wrote:
>
>     ​verify_none does seem like the default.
>
>
>     Also, even if I pass verify_peer, nothing checks if the host name in
>     the certificate matches the host that I am connecting to. So a
>     server can present any validly signed certificate for a different site.
>
>
>     Ransom
>
>
>     ------------------------------------------------------------------------
>     *From:* Benoit Chesneau <
>     <mailto:>>
>     *Sent:* Saturday, April 19, 2014 12:31 AM
>
>     *To:* Ransom Richardson
>     *Cc:*  <mailto:>
>     *Subject:* Re: [erlang-questions] HTTPC doesn't do HTTPS validation
>
>
>
>     On Sat, Apr 19, 2014 at 6:17 AM, Ransom Richardson
>     < <mailto:>> wrote:
>
>         But as I reported in this issue
>         https://github.com/benoitc/hackney/issues/101 I tested against a
>         server with an invalid cert, and hackney did not catch the
>         error. httpc also returned ok.
>
>
>         |1> hackney:get(<<"https://localhost:8443/delay">>, [], <<>>, []).
>         {ok,200,
>              [{<<"connection">>,<<"keep-alive">>},
>               {<<"server">>,<<"Cowboy">>},
>               {<<"date">>,<<"Sat, 19 Apr 2014 00:00:26 GMT">>},
>               {<<"content-length">>,<<"0">>}],
>              #Ref<0.0.0.111>}|
>
>         The same happens if I pass validate_peer and the rootCA file as
>         ssl_options.
>
>
>         curl correctly rejects the server:
>
>
>         |:~/dev/httpcbench$ curlhttps://localhost:8443/delay
>         curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
>         error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
>         :~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pemhttps://localhost:8443/delay
>         curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'|
>
>
>         This is using Erlang 17.0. Is it possible that the ssl default
>         changed?
>
>
>         Or am I doing something wrong?
>
>
>         The server I'm testing against is in this repo:
>         https://github.com/talko/httpcbench. It's a work in progress,
>         but if you pull, make and run_server you should see the same issue.
>
>
>         thanks,
>
>         Ransom
>
>
>
>     hrm looks like the default is verify_none:
>
>     https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L594
>
>     But it's early in the morning and I need more cafe, so...
>
>     - benoit
>
>     _______________________________________________
>     erlang-questions mailing list
>      <mailto:>
>     http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
>
> --
> Best regards
> Alexei Sholik
>
>
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions
>

-- 
Loïc Hoguin
http://ninenines.eu



More information about the erlang-questions mailing list