[erlang-questions] https request certificate validation

Ingela Andin ingela@REDACTED
Tue Apr 19 12:15:25 CEST 2011 

Hello,

in r13 our new ssl implementation was being introduced and was
experimental so the API and default behavior may wobble a bit in R13*.
in R14B02 you should get the wanted behavior by using the {verify,
verify_peer}  and {cacertfile, "File.pem"} option. ({verify, Number}
is deprecated) . If you want to verify peer-certs you must have some
known root-cacerts to verify the root of the peer-cert chain. That is
why you get the eoptions "error in options list" (legacy return
value).

Regards Ingela Erlang/OTP team - Ericsson AB


>2011/4/18 rtsome <rtsome@REDACTED>:
> Hi.
> So I want request to fail if server certificate is self-signed.
> I tried different options but no luck.
>
> -module(tst).
> -compile(export_all).
>
> get(Url, Opt)->
>     case http:request(get, {Url, []}, Opt,[]) of
>         {ok, {H,_Headers,_Response}} ->
>             {ok , H};
>         O -> O
>     end.
>
> g()->
>     inets:start(),
>     ssl:start(),
>     http:set_options([{max_
> sessions, 0}
>                       ,{max_keep_alive_length, 0}
> %                      ,{verbose, verbose}
>                       ]),
>     Opts = [[{ssl,[{verify, verify_peer}]}]
>             ,[{ssl,[{verify, verify_peer}]}]
>             ,[{ssl,[{verify, 2}]}]
>             ,[{ssl,[{verify, 1}]}]
>             ,[{ssl,[{verify, 0}]}]
>             ,[{ssl,[{verify, verify_peer}]}]
>             ],
>     io:format("~p~n",[[get("https://localhost", O) || O <- Opts]]),
>     io:format("~p~n",[[get("https://mail.google.com/mail/", O) || O <-
> Opts]]),
>     init:stop().
>
> Typical output:
> [{error,{connect_failed,eoptions}},
>  {error,{connect_failed,eoptions}},
>  {ok,{"HTTP/1.1",200,"OK"}},
>  {ok,{"HTTP/1.1",200,"OK"}},
>  {ok,{"HTTP/1.1",200,"OK"}},
>  {error,{connect_failed,eoptions}}]
> [{error,{connect_failed,eoptions}},
>  {error,{connect_failed,eoptions}},
>  {ok,{"HTTP/1.1",200,"OK"}},
>  {ok,{"HTTP/1.1",200,"OK"}},
>  {ok,{"HTTP/1.1",200,"OK"}},
>  {ok,{"HTTP/1.1",200,"OK"}}]
>
> Note the 'verify_peer' variant. It fails unregularly independеntly of
> certificate validity.
> Erlang versions under consideration:
> R13B03@REDACTED ubuntu
> R14B02@REDACTED
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>

More information about the erlang-questions mailing list