[erlang-questions] ssl certificate verification in httpc

Ivan Uemlianin ivan@REDACTED
Tue Jul 15 15:02:33 CEST 2014 

Dear Robby

Thanks that is very helpful.  Unfortunately, I think verifying the 
server will be required.

I have an SSL book somewhere I keep meaning to look at, perhaps now is 
the time.

Best wishes

Ivan


On 15/07/2014 12:41, Robert Raschke wrote:
> Hi Ivan,
>
> SSL essentially does two things at once: encrypts the data and checks if
> client and/or server are who they say they are. The latter is where
> certificate verification comes into play, the encryption part is always
> done and usually automatically negotiated between client and server.
>
> So, if all you are aiming for is encrypting the data travelling between
> client and server, then you don't need the ssl option. Just point your
> httpc:request at an "https://..." URL and the encryption is handled for
> you without you having to do anything more.
>
> Hope this helps,
> Robby
>
>
>
> On 15 July 2014 12:27, Ivan Uemlianin <ivan@REDACTED
> <mailto:ivan@REDACTED>> wrote:
>
>     Dear Robby
>
>     Thanks for your comment.  I'm not sure if I need to verify the
>     certificate either :D.  I was assuming the client needs to verify
>     the certificate otherwise how is the connection "secure"?
>
>     [more or less completely ignorant about ssl]
>
>     Of course if the client doesn't need to verify the certificate that
>     would be most convenient.
>
>     Best wishes
>
>     Ivan
>
>
>
>     On 15/07/2014 12:18, Robert Raschke wrote:
>
>         Hi Ivan,
>
>         are you sure you need to verify the certificate? If SSL is only
>         used for
>         encryption, then a simple request will do the trick, that is,
>         just leave
>         out the ssl option.
>
>         I've never verified a cert, so if you do need that, hopefully
>         someone
>         else can be of assistance.
>
>         Regards,
>         Robby
>
>
>
>         On 15 July 2014 11:58, Ivan Uemlianin <ivan@REDACTED
>         <mailto:ivan@REDACTED>
>         <mailto:ivan@REDACTED <mailto:ivan@REDACTED>>> wrote:
>
>              Dear All
>
>              I am using httpc to access a web server over https.  From
>         reading
>              the erlang ssl docs, this looks like the right way to do it:
>
>                   Url = "https://bla.org/bla",
>                   SSLOpts = [{verify, verify_peer},
>                              {cacertfile,"certificates.crt"____}],
>
>                   httpc:request(get, {Url, []}, [{ssl,SSLOpts}], []).
>
>              But this returns an unknown ca error:
>
>                   {error,{failed_connect,[{to_____address,{"bla.org
>         <http://bla.org>
>              <http://bla.org>", 443}},
>
>           {inet,[inet],{tls_alert,"____unknown ca"}}]}}
>
>                   11:06:04.942 [error] SSL: certify:
>         ssl_handshake.erl:1344:Fatal
>              error: unknown ca
>
>              The certificates file is in pem format, and I can't see
>         from the
>              docs page what ssl options I might add.  Is there somewhere
>         else I
>              need to add a reference to the CA?
>
>              In short, what am I missing to be able to verify this
>         certificate?
>
>              With thanks and best wishes
>
>              Ivan
>
>
>              --
>
>         ==============================____============================__==
>
>              Ivan A. Uemlianin PhD
>              Llaisdy
>              Speech Technology Research and Development
>
>         ivan@REDACTED <mailto:ivan@REDACTED>
>         <mailto:ivan@REDACTED <mailto:ivan@REDACTED>>
>         www.llaisdy.com <http://www.llaisdy.com> <http://www.llaisdy.com>
>         llaisdy.wordpress.com <http://llaisdy.wordpress.com>
>         <http://llaisdy.wordpress.com>
>         github.com/llaisdy <http://github.com/llaisdy>
>         <http://github.com/llaisdy>
>         www.linkedin.com/in/____ivanuemlianin
>         <http://www.linkedin.com/in/__ivanuemlianin>
>              <http://www.linkedin.com/in/__ivanuemlianin
>         <http://www.linkedin.com/in/ivanuemlianin>>
>
>                                       festina lente
>
>         ==============================____============================__==
>              ___________________________________________________
>              erlang-questions mailing list
>         erlang-questions@REDACTED <mailto:erlang-questions@REDACTED>
>         <mailto:erlang-questions@REDACTED
>         <mailto:erlang-questions@REDACTED>>
>         http://erlang.org/mailman/____listinfo/erlang-questions
>         <http://erlang.org/mailman/__listinfo/erlang-questions>
>              <http://erlang.org/mailman/__listinfo/erlang-questions
>         <http://erlang.org/mailman/listinfo/erlang-questions>>
>
>
>
>     --
>     ==============================__==============================
>     Ivan A. Uemlianin PhD
>     Llaisdy
>     Speech Technology Research and Development
>
>     ivan@REDACTED <mailto:ivan@REDACTED>
>     www.llaisdy.com <http://www.llaisdy.com>
>     llaisdy.wordpress.com <http://llaisdy.wordpress.com>
>     github.com/llaisdy <http://github.com/llaisdy>
>     www.linkedin.com/in/__ivanuemlianin
>     <http://www.linkedin.com/in/ivanuemlianin>
>
>                              festina lente
>     ==============================__==============================
>
>

-- 
============================================================
Ivan A. Uemlianin PhD
Llaisdy
Speech Technology Research and Development

                     ivan@REDACTED
                      www.llaisdy.com
                          llaisdy.wordpress.com
               github.com/llaisdy
                      www.linkedin.com/in/ivanuemlianin

                         festina lente
============================================================

More information about the erlang-questions mailing list