[erlang-questions] HTTPC doesn't do HTTPS validation

Ransom Richardson ransomr@REDACTED
Mon Apr 21 20:58:24 CEST 2014

?verify_none does seem like the default.

Also, even if I pass verify_peer, nothing checks if the host name in the certificate matches the host that I am connecting to. So a server can present any validly signed certificate for a different site.


From: Benoit Chesneau <bchesneau@REDACTED>
Sent: Saturday, April 19, 2014 12:31 AM
To: Ransom Richardson
Cc: erlang-questions@REDACTED
Subject: Re: [erlang-questions] HTTPC doesn't do HTTPS validation

On Sat, Apr 19, 2014 at 6:17 AM, Ransom Richardson <ransomr@REDACTED<mailto:ransomr@REDACTED>> wrote:

But as I reported in this issue https://github.com/benoitc/hackney/issues/101 I tested against a server with an invalid cert, and hackney did not catch the error. httpc also returned ok.

1> hackney:get(<<"https://localhost:8443/delay">>, [], <<>>, []).
     {<<"date">>,<<"Sat, 19 Apr 2014 00:00:26 GMT">>},

The same happens if I pass validate_peer and the rootCA file as ssl_options.

curl correctly rejects the server:

talko@REDACTED:~/dev/httpcbench$ curl https://localhost:8443/delay
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

talko@REDACTED:~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem https://localhost:8443/delay
curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'

This is using Erlang 17.0. Is it possible that the ssl default changed?

Or am I doing something wrong?

The server I'm testing against is in this repo: https://github.com/talko/httpcbench. It's a work in progress, but if you pull, make and run_server you should see the same issue.



hrm looks like the default is verify_none:


But it's early in the morning and I need more cafe, so...

- benoit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140421/075edde7/attachment.htm>

More information about the erlang-questions mailing list