<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Apr 19, 2014 at 6:02 AM, Ransom Richardson <span dir="ltr"><<a href="mailto:ransomr@talko.com" target="_blank">ransomr@talko.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">
<div style="font-size:12pt;font-family:Calibri,Arial,Helvetica,sans-serif">
<p>What I am seeing is that it is insecure by default (both httpc and hackney). I also don't see a way to make it secure. </p></div></div></blockquote><div><br></div><div>There is no such default in hackney:</div><div>
<br></div><div><a href="https://github.com/benoitc/hackney/blob/master/src/hackney_connect.erl#L201">https://github.com/benoitc/hackney/blob/master/src/hackney_connect.erl#L201</a></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div style="font-size:12pt;font-family:Calibri,Arial,Helvetica,sans-serif">
<p><br>
</p>
<p>Is there an option that I can pass that will cause it to validate that the cert matches the host? </p></div></div></blockquote><div><br></div><div>Using the validate_fun function probably. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div style="font-size:12pt;font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Is there an easier way to turn on validation than passing [{validate, validate_peer}, {cacertfile, ...}] on every request?</p>
<p><br>
</p>
<p>It never even occurred to me that an http client would be insecure by default when connecting over https.</p></div></div></blockquote><div><br></div><div>it isn't. A lot were.</div><div><br></div><div>- benoit</div>
</div></div></div>