Passing SSL configuration to Hackney

If you depend on Erlang’s Hackney library or an Elixir HTTP library built on Hackney, changes are your SSL configuration is wrong.

An investigation into a sudden SSL error revealed how one could easily create a wrong SSL configuration. Imagine using HTTPoison to make a GET request, and it returns an SSL error complaining about the certificate authority. So you might try to fiddle with the defaults, like trying to pass a specific list of ciphers:

options = [ssl: [{:versions, [:'tlsv1.2']}]

HTTPoison.get! "https://...", [], options

It worked!

Well, it didn’t. It just didn’t complain to you because passing the required TLS version is overriding en entire ssl option! So now you are missing :verify, :cacertfile, :verify_fun, and customize_hostname_check SSL options.

So, always remember to pass the entire ssl list of options when working with HTTPoison or Hackney.

Here’s an example:

options = [
  ssl: [
    {:versions, [:'tlsv1.2']},
    {:verify, :verify_peer},
    {:cacertfile, :certifi.cacertfile()},
    {:verify_fun, &:ssl_verify_hostname.verify_fun/3},
    {:customize_hostname_check, [
      match_fun: :public_key.pkix_verify_hostname_match_fun(:https)]}

HTTPoison.get! "https://...", [], options


I wrote a complete guide on web application deployment. Ruby with Puma, Python with Gunicorn, NGINX, PostgreSQL, Redis, networking, processes, systemd, backups, and all your usual suspects.

More →