[erlang-questions] What lib to use for http requests
Benoit Chesneau
bchesneau@REDACTED
Sun Dec 14 22:24:11 CET 2014
On Fri, Dec 12, 2014 at 10:18 PM, Drew Varner <drew.varner@REDACTED>
wrote:
>
> Mark,
>
> If you are communicating to servers via HTTPS, Hackney and other HTTP
> clients allow you to pass options to the underlying SSL/TLS socket,
> including some verification of the peer certificate. For example:
>
>
> https://github.com/talko/httpcbench/blob/master/src/httpcbench_client.erl#L79-L86
>
> Gun has an open issue to address this (
> https://github.com/extend/gun/pull/27), but it is not implemented. If you
> use Gun as your HTTPS client, you’re open to man-in-the-middle attacks.
>
> Do not fall into a false sense of security that any Erlang HTTPS clients
> provide complete protection against man-in-the-middle attacks out of the
> box. You’ll also want to consider cases where your peer certificate was
> revoked by a Certificate Authority. You’d want to know how your HTTPS
> client handles certificates when their revocation data has been published
> via a CRL or OCSP. CRL verification has made some headway in Erlang (see
> the ssl module docs and https://github.com/Vagabond/erl_crl_example
> <http://erlang.org/doc/man/ssl.html>). You’ll also want to look at
> hostname verification (
> https://github.com/deadtrickster/ssl_verify_hostname.erl
> <https://github.com/benoitc/ssl_verify_hostname>).
>
> HTTPS is as secure as you make it.
>
Just to expand a little bit, now on latest stable erlang versions of SSL
hackney 1.0.x is by default checking SSL certificates and their hostname.
- benoit
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141214/660b95a6/attachment.htm>
More information about the erlang-questions
mailing list