[erlang-questions] HTTPC doesn't do HTTPS validation
Benoit Chesneau
bchesneau@REDACTED
Sat Apr 19 06:31:09 CEST 2014
On Sat, Apr 19, 2014 at 6:17 AM, Ransom Richardson <ransomr@REDACTED>wrote:
> But as I reported in this issue
> https://github.com/benoitc/hackney/issues/101 I tested against a server
> with an invalid cert, and hackney did not catch the error. httpc also
> returned ok.
>
>
> 1> hackney:get(<<"https://localhost:8443/delay">>, [], <<>>, []).
> {ok,200,
> [{<<"connection">>,<<"keep-alive">>},
> {<<"server">>,<<"Cowboy">>},
> {<<"date">>,<<"Sat, 19 Apr 2014 00:00:26 GMT">>},
> {<<"content-length">>,<<"0">>}],
> #Ref<0.0.0.111>}
>
> The same happens if I pass validate_peer and the rootCA file as
> ssl_options.
>
>
> curl correctly rejects the server:
>
>
> talko@REDACTED:~/dev/httpcbench$ curl https://localhost:8443/delay
> curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> talko@REDACTED:~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem https://localhost:8443/delay
> curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'
>
>
> This is using Erlang 17.0. Is it possible that the ssl default changed?
>
>
> Or am I doing something wrong?
>
>
> The server I'm testing against is in this repo:
> https://github.com/talko/httpcbench. It's a work in progress, but if you
> pull, make and run_server you should see the same issue.
>
>
> thanks,
>
> Ransom
>
>
>
hrm looks like the default is verify_none:
https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L594
But it's early in the morning and I need more cafe, so...
- benoit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140419/6ffb7a6c/attachment.htm>
More information about the erlang-questions
mailing list