If you depend on Erlang’s Hackney library or an Elixir HTTP library built on Hackney, changes are your SSL configuration is wrong.
An investigation into a sudden SSL error revealed how one could easily create a wrong SSL configuration. Imagine using HTTPoison to make a GET request, and it returns an SSL error complaining about the certificate authority. So you might try to fiddle with the defaults, like trying to pass a specific list of ciphers:
options = [ssl: [{:versions, [:'tlsv1.2']}]
HTTPoison.get! "https://...", [], options
It worked!
Well, it didn’t. It just didn’t complain to you because passing the required TLS version is overriding en entire ssl option! So now you are missing :verify, :cacertfile, :verify_fun, and customize_hostname_check SSL options.
So, always remember to pass the entire ssl list of options when working with HTTPoison or Hackney.
Here’s an example:
options = [
ssl: [
{:versions, [:'tlsv1.2']},
{:verify, :verify_peer},
{:cacertfile, :certifi.cacertfile()},
{:verify_fun, &:ssl_verify_hostname.verify_fun/3},
{:customize_hostname_check, [
match_fun: :public_key.pkix_verify_hostname_match_fun(:https)]}
]
]
HTTPoison.get! "https://...", [], options
