<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none"><!-- p { margin-top: 0px; margin-bottom: 0px; }--></style>
</head>
<body dir="ltr">
<div id="OWAFontStyleDivID" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Thanks, it looks like that would work, and I also don't see an easier way.</p>
<p><br>
</p>
<p>But I'm still shocked that to make a https request in Erlang that verifies that the server cert matches the URL, I need to define my own verify function. And I need to pass a bunch of ssl options on each request - presumably one of which is platform dependent
(the list of root CA certs). <span style="font-size: 12pt;">All to do something that curl does by default</span><span style="font-size: 12pt;">.</span></p>
<p><br>
</p>
<p>For the record, I've tested httpc, lhttpc, ibrowse and hackney, and none of them actually verify the server has a certificate for the URL they are connecting to.<br>
</p>
<p><br>
</p>
<div style="color: rgb(40, 40, 40);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Alexei Sholik <alcosholik@gmail.com><br>
<b>Sent:</b> Monday, April 21, 2014 4:55 PM<br>
<b>To:</b> Ransom Richardson<br>
<b>Cc:</b> Benoit Chesneau; erlang-questions@erlang.org<br>
<b>Subject:</b> Re: [erlang-questions] HTTPC doesn't do HTTPS validation</font>
<div> </div>
</div>
<div>
<div dir="ltr">
<div>Ransom, if you look at the code closely, you'll see that it uses UserVerifyFun (undefined by default) for the verification.<br>
<br>
</div>
There is also fail_if_no_peer_cert option which is set to false by default.<br>
<div><br>
<a href="https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L589">https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L589</a><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Apr 21, 2014 at 9:58 PM, Ransom Richardson <span dir="ltr">
<<a href="mailto:ransomr@talko.com" target="_blank">ransomr@talko.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr">
<div style="font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>verify_none does seem like the default.<br>
</p>
<p><br>
</p>
<p>Also, even if I pass verify_peer, nothing checks if the host name in the certificate matches the host that I am connecting to. So a server can present any validly signed certificate for a different site.<br>
</p>
<p><br>
</p>
<p>Ransom<br>
</p>
<p><br>
</p>
<div style="color:rgb(40,40,40)">
<hr style="display:inline-block; width:98%">
<div dir="ltr"><font color="#000000" face="Calibri, sans-serif" style="font-size:11pt"><b>From:</b> Benoit Chesneau <<a href="mailto:bchesneau@gmail.com" target="_blank">bchesneau@gmail.com</a>><br>
<b>Sent:</b> Saturday, April 19, 2014 12:31 AM
<div class=""><br>
<b>To:</b> Ransom Richardson<br>
<b>Cc:</b> <a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<b>Subject:</b> Re: [erlang-questions] HTTPC doesn't do HTTPS validation</div>
</font>
<div> </div>
</div>
<div>
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div>
<div class="h5"><br>
<div class="gmail_quote">On Sat, Apr 19, 2014 at 6:17 AM, Ransom Richardson <span dir="ltr">
<<a href="mailto:ransomr@talko.com" target="_blank">ransomr@talko.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left-width:1px; border-left-color:rgb(204,204,204); border-left-style:solid; padding-left:1ex">
<div dir="ltr">
<div style="font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>But as I reported in this issue <a href="https://github.com/benoitc/hackney/issues/101" target="_blank">https://github.com/benoitc/hackney/issues/101</a> I tested against a server with an invalid cert, and hackney did not catch the error. httpc also returned
ok.<br>
</p>
<p><br>
</p>
<p></p>
<pre style="font-family:Consolas,'Liberation Mono',Courier,monospace; font-size:13px; margin-top:15px; margin-bottom:15px; background-color:rgb(248,248,248); border:1px solid rgb(221,221,221); line-height:19px; overflow:auto; padding:6px 10px; word-wrap:normal; color:rgb(51,51,51)"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace; font-size:12px; margin:0px; border:none; background-color:transparent; padding:0px; word-wrap:normal; display:inline; line-height:inherit">1> hackney:get(<<"<a href="https://localhost:8443/delay" target="_blank">https://localhost:8443/delay</a>">>, [], <<>>, []).
{ok,200,
[{<<"connection">>,<<"keep-alive">>},
{<<"server">>,<<"Cowboy">>},
{<<"date">>,<<"Sat, 19 Apr 2014 00:00:26 GMT">>},
{<<"content-length">>,<<"0">>}],
#Ref<0.0.0.111>}</code><br></pre>
<p>The same happens if I pass validate_peer and the rootCA file as ssl_options.<br>
</p>
<p><br>
</p>
<p>curl correctly rejects the server:<br>
</p>
<div>
<p><br>
</p>
<pre style="font-family:Consolas,'Liberation Mono',Courier,monospace; font-size:13px; margin-top:15px; background-color:rgb(248,248,248); border:1px solid rgb(221,221,221); line-height:19px; overflow:auto; padding:6px 10px; word-wrap:normal; color:rgb(51,51,51); margin-bottom:0px!important"><code style="font-family:Consolas,'Liberation Mono',Courier,monospace; font-size:12px; margin:0px; border:none; background-color:transparent; padding:0px; word-wrap:normal; display:inline; line-height:inherit">talko@ubuntu:~/dev/httpcbench$ curl <a href="https://localhost:8443/delay" target="_blank">https://localhost:8443/delay</a>
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
talko@ubuntu:~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem <a href="https://localhost:8443/delay" target="_blank">https://localhost:8443/delay</a>
curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'</code><br></pre>
<p><br>
</p>
</div>
<p>This is using Erlang 17.0. Is it possible that the ssl default changed?<br>
</p>
<p><br>
</p>
<p>Or am I doing something wrong?<br>
</p>
<p><br>
</p>
<p>The server I'm testing against is in this repo: <a href="https://github.com/talko/httpcbench." target="_blank">https://github.com/talko/httpcbench.</a> It's a work in progress, but if you pull, make and run_server you should see the same issue. <br>
</p>
<p><br>
</p>
<p>thanks,<br>
</p>
<p>Ransom<br>
</p>
<p><br>
</p>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>hrm looks like the default is verify_none:</div>
<div><br>
</div>
<div><a href="https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L594" target="_blank">https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L594</a></div>
<div><br>
</div>
<div>But it's early in the morning and I need more cafe, so...</div>
<div><br>
</div>
<div>- benoit</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Best regards<br>
Alexei Sholik </div>
</div>
</div>
</div>
</body>
</html>