Skip to the content.
« Erlang standard library: ssl

Erlang standard library: inets

Background

The ‘httpc` HTTP client in ‘inets’ inherits the TLS protocol defaults from the ‘ssl’ applications, enabling man-in-the-middle (MitM) attacks. Please refer to Erlang standard library: ssl for details.

%% Erlang
httpc:request(get, {"https://www.example.net/", []}, [
    {ssl, [
        {verify, verify_peer},
        {cacertfile, "/etc/ssl/cert.pem"},
        {depth, 2},
        {customize_hostname_check, [
            {match_fun, public_key:pkix_verify_hostname_match_fun(https)}
        ]}
    ]}
], []).
# Elixir
:httpc.request(:get, {'https://www.example.net/', []}, [
  ssl: [
    verify: :verify_peer,
    cacertfile: '/etc/ssl/cert.pem',
    depth: 2,
    customize_hostname_check: [
      match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
    ]
  ]
], [])

The http_uri:parse/1 function in the ‘inets’ application converts the URI’s scheme to an atom. When used on a URI taken from an untrusted source, such as a web page being parsed, this can lead to atom exhaustion and therefore a crash of the VM. Use the uri_string:parse/1 function from the standard library instead.

Next: Erlang standard library: crypto »