Skip to the content.
« Erlang standard library: ssl

Erlang standard library: inets


The httpc HTTP client in ‘inets’ inherits the TLS protocol defaults from the ‘ssl’ applications, enabling man-in-the-middle (MitM) attacks. Please refer to Erlang standard library: ssl for details, including examples of options that work with OTP versions prior to 25.

%% Erlang
httpc:request(get, {"", []}, [
    {ssl, [
        {verify, verify_peer},
        {cacerts, public_key:cacerts_get()},
        {depth, 2},
        {customize_hostname_check, [
            {match_fun, public_key:pkix_verify_hostname_match_fun(https)}
], []).
# Elixir
:httpc.request(:get, {'', []}, [
  ssl: [
    verify: :verify_peer,
    cacerts: :public_key.cacerts_get(),
    depth: 2,
    customize_hostname_check: [
      match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
], [])

The http_uri:parse/1 function in the ‘inets’ application converts the URI’s scheme to an atom. When used on a URI taken from an untrusted source, such as a web page being parsed, this can lead to atom exhaustion and therefore a crash of the VM. Use the uri_string:parse/1 function from the standard library instead.

Next: Erlang standard library: crypto »