[erlang-questions] What lib to use for http requests

Benoit Chesneau bchesneau@REDACTED
Sun Dec 14 22:48:28 CET 2014 

> On 14 Dec 2014, at 22:27, Drew Varner <drew.varner@REDACTED> wrote:
> 
> Benoit,
> 
> Nice. Is there any CRL or OCSP integration implemented or planned?
> 
> Cheers,
> Drew
> 

Could you open a ticket about it? If it’s possible I would say why not. Not sure what it requires right now though.

- benoit
> 
> 
> On Dec 14, 2014, at 4:24 PM, Benoit Chesneau <bchesneau@REDACTED <mailto:bchesneau@REDACTED>> wrote:
> 
>> 
>> 
>> On Fri, Dec 12, 2014 at 10:18 PM, Drew Varner <drew.varner@REDACTED <mailto:drew.varner@REDACTED>> wrote:
>> Mark,
>> 
>> If you are communicating to servers via HTTPS, Hackney and other HTTP clients allow you to pass options to the underlying SSL/TLS socket, including some verification of the peer certificate. For example:
>> 
>> https://github.com/talko/httpcbench/blob/master/src/httpcbench_client.erl#L79-L86 <https://github.com/talko/httpcbench/blob/master/src/httpcbench_client.erl#L79-L86>
>> 
>> Gun has an open issue to address this (https://github.com/extend/gun/pull/27 <https://github.com/extend/gun/pull/27>), but it is not implemented. If you use Gun as your HTTPS client, you’re open to man-in-the-middle attacks.
>> 
>> Do not fall into a false sense of security that any Erlang HTTPS clients provide complete protection against man-in-the-middle attacks out of the box. You’ll also want to consider cases where your peer certificate was revoked by a Certificate Authority. You’d want to know how your HTTPS client handles certificates when their revocation data has been published via a CRL or OCSP. CRL verification has made some headway in Erlang (see the ssl module docs and https://github.com/Vagabond/erl_crl_example <http://erlang.org/doc/man/ssl.html>). You’ll also want to look at hostname verification (https://github.com/deadtrickster/ssl_verify_hostname.erl <https://github.com/benoitc/ssl_verify_hostname>). 
>> 
>> HTTPS is as secure as you make it.
>> 
>> 
>> Just  to expand a little bit, now  on latest stable erlang versions  of SSL hackney 1.0.x is by default checking SSL certificates and their hostname.
>> 
>> - benoit
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141214/2447657c/attachment.htm>

More information about the erlang-questions mailing list