
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} .ms-cui-menu {background-color:#ffffff;border:1px rgb(171, 171, 171) solid;font-family:'Segoe UI WPC', 'Segoe UI', Tahoma, 'Microsoft Sans Serif', Verdana, sans-serif;font-size:11pt;color:rgb(51, 51, 51);} .ms-cui-menusection-title {display:none;} .ms-cui-ctl {vertical-align:text-top;text-decoration:none;color:rgb(51, 51, 51);} .ms-cui-ctl-on {background-color:rgb(223, 237, 250);opacity: 0.8;} .ms-cui-img-cont-float {display:inline-block;margin-top:2px} .ms-cui-smenu-inner {padding-top:0px;} .ms-owa-paste-option-icon {margin: 2px 4px 0px 4px;vertical-align:sub;padding-bottom: 2px;display:inline-block;} .ms-rtePasteFlyout-option:hover {background-color:rgb(223, 237, 250) !important;opacity:1 !important;} .ms-rtePasteFlyout-option {padding:8px 4px 8px 4px;outline:none;} .ms-cui-menusection {float:left; width:85px;height:24px;overflow:hidden}.wf {speak:none; font-weight:normal; font-variant:normal; text-transform:none; -webkit-font-smoothing:antialiased; vertical-align:middle; display:inline-block;}.wf-family-owa {font-family:'o365Icons'}@font-face {  font-family:'o365IconsIE8';  src:url('https://r4.res.outlook.com/owa/prem/15.0.918.10/resources/styles/office365icons.ie8.eot?#iefix') format('embedded-opentype'),         url('https://r4.res.outlook.com/owa/prem/15.0.918.10/resources/styles/office365icons.ie8.woff') format('woff'),         url('https://r4.res.outlook.com/owa/prem/15.0.918.10/resources/styles/office365icons.ie8.ttf') format('truetype');  font-weight:normal;  font-style:normal;}@font-face {  font-family:'o365IconsMouse';  src:url('https://r4.res.outlook.com/owa/prem/15.0.918.10/resources/styles/office365icons.mouse.eot?#iefix') format('embedded-opentype'),         url('https://r4.res.outlook.com/owa/prem/15.0.918.10/resources/styles/office365icons.mouse.woff') format('woff'),         url('https://r4.res.outlook.com/owa/prem/15.0.918.10/resources/styles/office365icons.mouse.ttf') format('truetype');  font-weight:normal;  font-style:normal;}.wf-family-owa {font-family:'o365IconsMouse'}.ie8 .wf-family-owa {font-family:'o365IconsIE8'}.ie8 .wf-owa-play-large:before {content:'\e254';}.notIE8 .wf-owa-play-large:before {content:'\e054';}.ie8 .wf-owa-play-large {color:#FFFFFF/*$WFWhiteColor*/;}.notIE8 .wf-owa-play-large {border-color:#FFFFFF/*$WFWhiteColor*/; width:1.4em; height:1.4em; border-width:.1em; border-style:solid; border-radius:.8em; text-align:center; box-sizing:border-box; -moz-box-sizing:border-box; padding:0.1em; color:#FFFFFF/*$WFWhiteColor*/;}.ie8 .wf-size-play-large {width:40px; height:40px; font-size:30px}.notIE8 .wf-size-play-large {width:40px; height:40px; font-size:30px}--></style>

</head>

<body dir="ltr">

<div id="OWAFontStyleDivID" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">

<p>I set up a local test server, that has a cert signed by my own self-signed CA cert. Also the CN in the cert is not local host. As expected, curl doesn't like this:<br>

</p>

<p><br>

</p>

<div>talko@ubuntu:~/dev/httpcbench$ curl https://localhost:8443/delay</div>

<div>curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:</div>

<div>error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed</div>

<div><br>

</div>

<div>talko@ubuntu:~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem https://localhost:8443/delay</div>

<div>curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'<br>

</div>

<div><br>

</div>

<div>However httpc doesn't complain, despite not having the CA cert:<br>

</div>

<div><br>

</div>

<div>

<div>3> httpc:request("https://localhost:8443/delay").</div>

<div>{ok,{{"HTTP/1.1",200,"OK"},</div>

<div>     [{"connection","keep-alive"},</div>

<div>      {"date","Sat, 19 Apr 2014 00:31:56 GMT"},</div>

<div>      {"server","Cowboy"},</div>

<div>      {"content-length","0"}],</div>

<div>     []}}</div>

<div><br>

</div>

<div>And even if I tell it to verify the peer, it doesn't complain that the host name doesn't match the cert:</div>

<div><br>

</div>

<div>

<div>6> httpc:request(get, {"https://localhost:8443/delay", []}, [{ssl, [{verify, verify_peer}, {cacertfile, "./priv/ssl/rootCA.pem"}]}], []).</div>

<div>{ok,{{"HTTP/1.1",200,"OK"},</div>

<div>     [{"connection","keep-alive"},</div>

<div>      {"date","Sat, 19 Apr 2014 00:36:09 GMT"},</div>

<div>      {"server","Cowboy"},</div>

<div>      {"content-length","0"}],</div>

<div>     []}}</div>

<div><br>

</div>

<div>I actually noticed this when trying to test hackney, which has the same behavior as httpc.<br>

</div>

<div><br>

</div>

<div>Does anyone know if any of the many other http clients out there do any HTTPS validation?<br>

</div>

<div><br>

</div>

<div>thanks,<br>

</div>

<div>Ransom<br>

</div>

<div><br>

<br>

</div>

<br>

</div>

<br>

</div>

<p><br>

</p>

</div>

</body>

</html>