[erlang-questions] HTTPC doesn't do HTTPS validation
Ransom Richardson
ransomr@REDACTED
Mon Apr 21 20:58:24 CEST 2014
?verify_none does seem like the default.
Also, even if I pass verify_peer, nothing checks if the host name in the certificate matches the host that I am connecting to. So a server can present any validly signed certificate for a different site.
Ransom
________________________________
From: Benoit Chesneau <bchesneau@REDACTED>
Sent: Saturday, April 19, 2014 12:31 AM
To: Ransom Richardson
Cc: erlang-questions@REDACTED
Subject: Re: [erlang-questions] HTTPC doesn't do HTTPS validation
On Sat, Apr 19, 2014 at 6:17 AM, Ransom Richardson <ransomr@REDACTED<mailto:ransomr@REDACTED>> wrote:
But as I reported in this issue https://github.com/benoitc/hackney/issues/101 I tested against a server with an invalid cert, and hackney did not catch the error. httpc also returned ok.
1> hackney:get(<<"https://localhost:8443/delay">>, [], <<>>, []).
{ok,200,
[{<<"connection">>,<<"keep-alive">>},
{<<"server">>,<<"Cowboy">>},
{<<"date">>,<<"Sat, 19 Apr 2014 00:00:26 GMT">>},
{<<"content-length">>,<<"0">>}],
#Ref<0.0.0.111>}
The same happens if I pass validate_peer and the rootCA file as ssl_options.
curl correctly rejects the server:
talko@REDACTED:~/dev/httpcbench$ curl https://localhost:8443/delay
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
talko@REDACTED:~/dev/httpcbench$ curl --cacert priv/ssl/rootCA.pem https://localhost:8443/delay
curl: (51) SSL: certificate subject name 'httpcbench server' does not match target host name 'localhost'
This is using Erlang 17.0. Is it possible that the ssl default changed?
Or am I doing something wrong?
The server I'm testing against is in this repo: https://github.com/talko/httpcbench. It's a work in progress, but if you pull, make and run_server you should see the same issue.
thanks,
Ransom
hrm looks like the default is verify_none:
https://github.com/erlang/otp/blob/maint/lib/ssl/src/ssl.erl#L594
But it's early in the morning and I need more cafe, so...
- benoit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140421/075edde7/attachment.htm>
More information about the erlang-questions
mailing list