1/13/2024 0 Comments Elixir ibrowseBecause of this requirement it is not possible to configure the verify_fun option globally in the :httpotion application configuration, so all of the ssl_options shown above must be included in all calls to the HTTPotion API.įinally, we could replace the CA trust store in our application’s priv directory with the certifi package. Note that it is necessary to pass in the expected hostname explicitly (as a charlist): it is not extracted from the URL passed into HTTPotion/ ibrowse, since they are not aware of the verify_fun callback, nor by the Erlang ssl module since it never sees the URL. Now then, let’s get started with our first client… HTTPoison (hackey) In a follow-up post I will explain how you can build your own TLS test server using Phoenix in just a few lines of code, and how to use the OpenSSL CLI to debug handshake issues. - this URL will serve up the site using the regular site’s certificate the client should detect the hostname mismatch and abort the TLS handshake.- this URL will serve up the site using a self-signed certificate a client should not complete the TLS handshake unless explicitly allowed by the user.- the regular site, with a valid (at the time of writing) certificate issued through Let’s Encrypt.UPDATE: Please note that the test endpoints are no longer available! We will be using this blog as a test server for the various scenarios: If changes don’t seem to have any effect from one request to the next, restart your application or iex session to make sure a fresh TLS handshake will take place. Important note: most HTTP clients include a connection pool, and Erlang’s ssl module supports session resumption, which can lead to unexpected behaviour while experimenting with different TLS options. Now run iex -S mix and you’re ready to start interactively exploring the HTTP client APIs. You may also want to have a set of trusted CA certificates available. If you want to follow along, create a new project using mix new, edit your mix.exs file to list the package and application dependencies as shown below and then run mix deps.get. httpc - Erlang/OTP’s built-in HTTP client.HTTPoison - the most popular HTTP client on hex.pm, powered by hackney. Developers might expect an HTTP client that accepts HTTPS URLs to take care of these things, but things aren’t always that simple, as we shall see… Requests often contain sensitive data, such as API keys or personal information, that must be protected against eavesdropping and man-in-the-middle attacks. In many Elixir applications, an HTTP client is used to connect to 3rd party API servers a such as AWS, Facebook or Google. Instead it tries to establish what it takes to use these clients to connect securely to a server, given an HTTPS URL. The goal of this post is not to compare features, performance or usability, or even to choose a ‘most secure’ client. It’s a topic I covered in my ElixirConf EU talk, but it recently came up again. A better title would be: “On the security posture of Elixir HTTPS clients”. Let me start off by apologising for the click-bait title.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |