<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 14 Dec 2014, at 22:27, Drew Varner <<a href="mailto:drew.varner@redops.org" class="">drew.varner@redops.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="content-type" content="text/html; charset=utf-8" class=""><div dir="auto" class=""><div class="">Benoit,</div><div class=""><br class=""></div><div class="">Nice. Is there any CRL or OCSP integration implemented or planned?</div><div class=""><br class=""></div><div class="">Cheers,</div><div class="">Drew<br class=""><br class=""></div></div></div></blockquote><div><br class=""></div>Could you open a ticket about it? If it’s possible I would say why not. Not sure what it requires right now though.</div><div><br class=""></div><div>- benoit<br class=""><blockquote type="cite" class=""><div class=""><div dir="auto" class=""><div class=""><br class=""></div><div class=""><br class="">On Dec 14, 2014, at 4:24 PM, Benoit Chesneau <<a href="mailto:bchesneau@gmail.com" class="">bchesneau@gmail.com</a>> wrote:<br class=""><br class=""></div><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><br class=""><div class="gmail_extra"><br class=""><div class="gmail_quote">On Fri, Dec 12, 2014 at 10:18 PM, Drew Varner <span dir="ltr" class=""><<a href="mailto:drew.varner@redops.org" target="_blank" class="">drew.varner@redops.org</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class="">Mark,<div class=""><br class=""></div><div class="">If you are communicating to servers via HTTPS, Hackney and other HTTP clients allow you to pass options to the underlying SSL/TLS socket, including some verification of the peer certificate. For example:<div class=""><br class=""></div><div class=""><a href="https://github.com/talko/httpcbench/blob/master/src/httpcbench_client.erl#L79-L86" target="_blank" class="">https://github.com/talko/httpcbench/blob/master/src/httpcbench_client.erl#L79-L86</a></div><div class=""><br class=""></div><div class="">Gun has an open issue to address this (<a href="https://github.com/extend/gun/pull/27" target="_blank" class="">https://github.com/extend/gun/pull/27</a>), but it is not implemented. If you use Gun as your HTTPS client, you’re open to man-in-the-middle attacks.</div><div class=""><br class=""></div><div class="">Do not fall into a false sense of security that any Erlang HTTPS clients provide complete protection against man-in-the-middle attacks out of the box. You’ll also want to consider cases where your peer certificate was revoked by a Certificate Authority. You’d want to know how your HTTPS client handles certificates when their revocation data has been published via a CRL or OCSP. CRL verification has made some headway in Erlang (see the ssl module docs and <a href="http://erlang.org/doc/man/ssl.html" target="_blank" class="">https://github.com/Vagabond/erl_crl_example</a>). You’ll also want to look at hostname verification (<a href="https://github.com/benoitc/ssl_verify_hostname" target="_blank" class="">https://github.com/deadtrickster/ssl_verify_hostname.erl</a>). </div><div class=""><br class=""></div><div class="">HTTPS is as secure as you make it.</div></div></div></blockquote><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Just to expand a little bit, now on latest stable erlang versions of SSL hackney 1.0.x is by default checking SSL certificates and their hostname.</div><div class=""><br class=""></div><div class="">- benoit</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br class=""></blockquote></div></div></div>
</div></blockquote></div></div></blockquote></div><br class=""></body></html>