« Erlang standard library: ssl

Erlang standard library: inets

• Pass the ssl option with secure client configuration options when connecting to HTTPS servers using ‘httpc’ (see Erlang standard library: ssl)
• Use uri_string:parse/1 instead of http_uri:parse/1 when used with untrusted input, to prevent atom exhaustion (see Preventing atom exhaustion)

Background

The httpc HTTP client in ‘inets’ inherits the TLS protocol defaults from the ‘ssl’ applications, enabling man-in-the-middle (MitM) attacks. Please refer to Erlang standard library: ssl for details, including examples of options that work with OTP versions prior to 25.

%% Erlang
httpc:request(get, {"https://www.example.net/", []}, [
    {ssl, [
        {verify, verify_peer},
        {cacerts, public_key:cacerts_get()},
        {depth, 2},
        {customize_hostname_check, [
            {match_fun, public_key:pkix_verify_hostname_match_fun(https)}
        ]}
    ]}
], []).

# Elixir
:httpc.request(:get, {'https://www.example.net/', []}, [
  ssl: [
    verify: :verify_peer,
    cacerts: :public_key.cacerts_get(),
    depth: 2,
    customize_hostname_check: [
      match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
    ]
  ]
], [])

The http_uri:parse/1 function in the ‘inets’ application converts the URI’s scheme to an atom. When used on a URI taken from an untrusted source, such as a web page being parsed, this can lead to atom exhaustion and therefore a crash of the VM. Use the uri_string:parse/1 function from the standard library instead.

Next: Erlang standard library: crypto »