[erlang-questions] ssl certificate verification in httpc

Robert Raschke rtrlists@REDACTED
Tue Jul 15 13:41:43 CEST 2014


Hi Ivan,

SSL essentially does two things at once: encrypts the data and checks if
client and/or server are who they say they are. The latter is where
certificate verification comes into play, the encryption part is always
done and usually automatically negotiated between client and server.

So, if all you are aiming for is encrypting the data travelling between
client and server, then you don't need the ssl option. Just point your
httpc:request at an "https://..." URL and the encryption is handled for you
without you having to do anything more.

Hope this helps,
Robby



On 15 July 2014 12:27, Ivan Uemlianin <ivan@REDACTED> wrote:

> Dear Robby
>
> Thanks for your comment.  I'm not sure if I need to verify the certificate
> either :D.  I was assuming the client needs to verify the certificate
> otherwise how is the connection "secure"?
>
> [more or less completely ignorant about ssl]
>
> Of course if the client doesn't need to verify the certificate that would
> be most convenient.
>
> Best wishes
>
> Ivan
>
>
>
> On 15/07/2014 12:18, Robert Raschke wrote:
>
>> Hi Ivan,
>>
>> are you sure you need to verify the certificate? If SSL is only used for
>> encryption, then a simple request will do the trick, that is, just leave
>> out the ssl option.
>>
>> I've never verified a cert, so if you do need that, hopefully someone
>> else can be of assistance.
>>
>> Regards,
>> Robby
>>
>>
>>
>> On 15 July 2014 11:58, Ivan Uemlianin <ivan@REDACTED
>> <mailto:ivan@REDACTED>> wrote:
>>
>>     Dear All
>>
>>     I am using httpc to access a web server over https.  From reading
>>     the erlang ssl docs, this looks like the right way to do it:
>>
>>          Url = "https://bla.org/bla",
>>          SSLOpts = [{verify, verify_peer},
>>                     {cacertfile,"certificates.crt"__}],
>>
>>          httpc:request(get, {Url, []}, [{ssl,SSLOpts}], []).
>>
>>     But this returns an unknown ca error:
>>
>>          {error,{failed_connect,[{to___address,{"bla.org
>>     <http://bla.org>", 443}},
>>                                  {inet,[inet],{tls_alert,"__unknown
>> ca"}}]}}
>>
>>          11:06:04.942 [error] SSL: certify: ssl_handshake.erl:1344:Fatal
>>     error: unknown ca
>>
>>     The certificates file is in pem format, and I can't see from the
>>     docs page what ssl options I might add.  Is there somewhere else I
>>     need to add a reference to the CA?
>>
>>     In short, what am I missing to be able to verify this certificate?
>>
>>     With thanks and best wishes
>>
>>     Ivan
>>
>>
>>     --
>>     ==============================__==============================
>>
>>     Ivan A. Uemlianin PhD
>>     Llaisdy
>>     Speech Technology Research and Development
>>
>>     ivan@REDACTED <mailto:ivan@REDACTED>
>>     www.llaisdy.com <http://www.llaisdy.com>
>>     llaisdy.wordpress.com <http://llaisdy.wordpress.com>
>>     github.com/llaisdy <http://github.com/llaisdy>
>>     www.linkedin.com/in/__ivanuemlianin
>>     <http://www.linkedin.com/in/ivanuemlianin>
>>
>>                              festina lente
>>     ==============================__==============================
>>     _________________________________________________
>>     erlang-questions mailing list
>>     erlang-questions@REDACTED <mailto:erlang-questions@REDACTED>
>>     http://erlang.org/mailman/__listinfo/erlang-questions
>>     <http://erlang.org/mailman/listinfo/erlang-questions>
>>
>>
>>
> --
> ============================================================
> Ivan A. Uemlianin PhD
> Llaisdy
> Speech Technology Research and Development
>
>                     ivan@REDACTED
>                      www.llaisdy.com
>                          llaisdy.wordpress.com
>               github.com/llaisdy
>                      www.linkedin.com/in/ivanuemlianin
>
>                         festina lente
> ============================================================
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140715/7fb5249f/attachment.htm>


More information about the erlang-questions mailing list