<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} .ms-cui-menu {background-color:#ffffff;border:1px rgb(171, 171, 171) solid;font-family:'Segoe UI WPC', 'Segoe UI', Tahoma, 'Microsoft Sans Serif', Verdana, sans-serif;font-size:11pt;color:rgb(51, 51, 51);} .ms-cui-menusection-title {display:none;} .ms-cui-ctl {vertical-align:text-top;text-decoration:none;color:rgb(51, 51, 51);} .ms-cui-ctl-on {background-color:rgb(223, 237, 250);opacity: 0.8;} .ms-cui-img-cont-float {display:inline-block;margin-top:2px} .ms-cui-smenu-inner {padding-top:0px;} .ms-owa-paste-option-icon {margin: 2px 4px 0px 4px;vertical-align:sub;padding-bottom: 2px;display:inline-block;} .ms-rtePasteFlyout-option:hover {background-color:rgb(223, 237, 250) !important;opacity:1 !important;} .ms-rtePasteFlyout-option {padding:8px 4px 8px 4px;outline:none;} .ms-cui-menusection {float:left; width:85px;height:24px;overflow:hidden}.wf {speak:none; font-weight:normal; font-variant:normal; text-transform:none; -webkit-font-smoothing:antialiased; vertical-align:middle; display:inline-block;}.wf-family-owa {font-family:'o365Icons'}@font-face {  font-family:'o365IconsIE8';  src:url('https://r4.res.outlook.com/owa/prem/15.0.918.10/resources/styles/office365icons.ie8.eot?#iefix') format('embedded-opentype'),         url('https://r4.res.outlook.com/owa/prem/15.0.918.10/resources/styles/office365icons.ie8.woff') format('woff'),         url('https://r4.res.outlook.com/owa/prem/15.0.918.10/resources/styles/office365icons.ie8.ttf') format('truetype');  font-weight:normal;  font-style:normal;}@font-face {  font-family:'o365IconsMouse';  src:url('https://r4.res.outlook.com/owa/prem/15.0.918.10/resources/styles/office365icons.mouse.eot?#iefix') format('embedded-opentype'),         url('https://r4.res.outlook.com/owa/prem/15.0.918.10/resources/styles/office365icons.mouse.woff') format('woff'),         url('https://r4.res.outlook.com/owa/prem/15.0.918.10/resources/styles/office365icons.mouse.ttf') format('truetype');  font-weight:normal;  font-style:normal;}.wf-family-owa {font-family:'o365IconsMouse'}.ie8 .wf-family-owa {font-family:'o365IconsIE8'}.ie8 .wf-owa-play-large:before {content:'\e254';}.notIE8 .wf-owa-play-large:before {content:'\e054';}.ie8 .wf-owa-play-large {color:#FFFFFF/*$WFWhiteColor*/;}.notIE8 .wf-owa-play-large {border-color:#FFFFFF/*$WFWhiteColor*/; width:1.4em; height:1.4em; border-width:.1em; border-style:solid; border-radius:.8em; text-align:center; box-sizing:border-box; -moz-box-sizing:border-box; padding:0.1em; color:#FFFFFF/*$WFWhiteColor*/;}.ie8 .wf-size-play-large {width:40px; height:40px; font-size:30px}.notIE8 .wf-size-play-large {width:40px; height:40px; font-size:30px}--></style>
</head>
<body dir="ltr">
<div id="OWAFontStyleDivID" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>What I am seeing is that it is insecure by default (both httpc and hackney). I also don't see a way to make it secure. </p>
<p><br>
</p>
<p>Is there an option that I can pass that will cause it to validate that the cert matches the host? </p>
<p><br>
</p>
<p>Is there an easier way to turn on validation than passing [{validate, validate_peer}, {cacertfile, ...}] on every request?</p>
<p><br>
</p>
<p>It never even occurred to me that an http client would be insecure by default when connecting over https.</p>
<p><br>
</p>
<p>thanks,<br>
</p>
<p>Ransom <br>
</p>
<div style="color: rgb(40, 40, 40);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Benoit Chesneau <bchesneau@gmail.com><br>
<b>Sent:</b> Friday, April 18, 2014 11:06 PM<br>
<b>To:</b> Ransom Richardson<br>
<b>Cc:</b> erlang-questions@erlang.org<br>
<b>Subject:</b> Re: [erlang-questions] HTTPC doesn't do HTTPS validation</font>
<div> </div>
</div>
<div>
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Sat, Apr 19, 2014 at 2:48 AM, Ransom Richardson <span dir="ltr">
<<a href="mailto:ransomr@talko.com" target="_blank">ransomr@talko.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr">
<div style="font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>I set up a local test server, that has a cert signed by my own self-signed CA cert. Also the CN in the cert is not local host. As expected, curl doesn't like this:<br>
</p>
<p><br>
</p>
<div>talko@ubuntu:~/dev/httpcbench$ curl <a href="https://localhost:8443/delay" target="_blank">
https://localhost:8443/delay</a></div>
<div>curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:</div>
<div>error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed</div>
<div><br>
</div>
<div>talko@ubuntu:~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem <a href="https://localhost:8443/delay" target="_blank">
https://localhost:8443/delay</a></div>
<div>curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'<br>
</div>
<div><br>
</div>
<div>However httpc doesn't complain, despite not having the CA cert:<br>
</div>
<div><br>
</div>
<div>
<div>3> httpc:request("<a href="https://localhost:8443/delay" target="_blank">https://localhost:8443/delay</a>").</div>
<div>{ok,{{"HTTP/1.1",200,"OK"},</div>
<div>     [{"connection","keep-alive"},</div>
<div>      {"date","Sat, 19 Apr 2014 00:31:56 GMT"},</div>
<div>      {"server","Cowboy"},</div>
<div>      {"content-length","0"}],</div>
<div>     []}}</div>
<div><br>
</div>
<div>And even if I tell it to verify the peer, it doesn't complain that the host name doesn't match the cert:</div>
<div><br>
</div>
<div>
<div>6> httpc:request(get, {"<a href="https://localhost:8443/delay" target="_blank">https://localhost:8443/delay</a>", []}, [{ssl, [{verify, verify_peer}, {cacertfile, "./priv/ssl/rootCA.pem"}]}], []).</div>
<div>{ok,{{"HTTP/1.1",200,"OK"},</div>
<div>     [{"connection","keep-alive"},</div>
<div>      {"date","Sat, 19 Apr 2014 00:36:09 GMT"},</div>
<div>      {"server","Cowboy"},</div>
<div>      {"content-length","0"}],</div>
<div>     []}}</div>
<div><br>
</div>
<div>I actually noticed this when trying to test hackney, which has the same behavior as httpc.<br>
</div>
<div><br>
</div>
<div>Does anyone know if any of the many other http clients out there do any HTTPS validation?<br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div>I don't know for httpc but hackney doesn't pass any default option to the ssl socket when you connect in HTTPS. Except if you pass the insecure option to the request (which provides the same feature you find in curl).  </div>
<div><br>
</div>
<div>- benoit</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>