[erlang-questions] HTTPC doesn't do HTTPS validation

Benoit Chesneau bchesneau@REDACTED
Sat Apr 19 06:08:47 CEST 2014

On Sat, Apr 19, 2014 at 6:02 AM, Ransom Richardson <ransomr@REDACTED>wrote:

>  What I am seeing is that it is insecure by default (both httpc and
> hackney). I also don't see a way to make it secure.

There is no such default in hackney:


>  Is there an option that I can pass that will cause it to validate that
> the cert matches the host?

Using the validate_fun function probably.

>  Is there an easier way to turn on validation than passing [{validate,
> validate_peer}, {cacertfile, ...}] on every request?
>  It never even occurred to me that an http client would be insecure by
> default when connecting over https.

it isn't. A lot were.

- benoit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140419/0019661a/attachment.htm>

More information about the erlang-questions mailing list