Notes to self

Passing SSL configuration to Hackney

If you depend on Erlang’s Hackney library or an Elixir HTTP library built on Hackney, changes are your SSL configuration is wrong.

An investigation into a sudden SSL error revealed how one could easily create a wrong SSL configuration. Imagine using HTTPoison to make a GET request, and it returns an SSL error complaining about the certificate authority. So you might try to fiddle with the defaults, like trying to pass a specific list of ciphers:

options = [ssl: [{:versions, [:'tlsv1.2']}]

HTTPoison.get! "https://...", [], options

It worked!

Well, it didn’t. It just didn’t complain to you because passing the required TLS version is overriding en entire ssl option! So now you are missing :verify, :cacertfile, :verify_fun, and customize_hostname_check SSL options.

So, always remember to pass the entire ssl list of options when working with HTTPoison or Hackney.

Here’s an example:

options = [
  ssl: [
    {:versions, [:'tlsv1.2']},
    {:verify, :verify_peer},
    {:cacertfile, :certifi.cacertfile()},
    {:verify_fun, &:ssl_verify_hostname.verify_fun/3},
    {:customize_hostname_check, [
      match_fun: :public_key.pkix_verify_hostname_match_fun(:https)]}
  ]
]

HTTPoison.get! "https://...", [], options

Work with me

I have some availability for contract work. I can be your fractional CTO, a Ruby on Rails engineer, or consultant. Write me at strzibny@strzibny.name.

RSS