Skip to content

Commit

Permalink
Secure SSL defaults for HTTPC for OTP-25+
Browse files Browse the repository at this point in the history
  • Loading branch information
essen committed Nov 18, 2024
1 parent affc3f7 commit 1352f5c
Showing 1 changed file with 28 additions and 10 deletions.
38 changes: 28 additions & 10 deletions src/hex_http_httpc.erl
Original file line number Diff line number Diff line change
Expand Up @@ -20,24 +20,42 @@

request(Method, URI, ReqHeaders, Body, AdapterConfig) when is_binary(URI) ->
Profile = maps:get(profile, AdapterConfig, default),
HTTPOptions = maps:get(http_options, AdapterConfig, []),
HTTPOptions0 = maps:get(http_options, AdapterConfig, []),

HTTPS =
case URI of
<<"https", _/binary>> -> true;
_ -> false
end,
SSLOpts = proplists:get_value(ssl, HTTPOptions),
SSLOpts0 = proplists:get_value(ssl, HTTPOptions0),

if
HTTPS == true andalso SSLOpts == undefined ->
io:format(
"[hex_http_httpc] using default ssl options which are insecure.~n"
"Configure your adapter with: "
"{hex_http_httpc, #{http_options => [{ssl, SslOpts}]}}~n"
);
HTTPOptions = if
HTTPS == true andalso SSLOpts0 == undefined ->
%% Add safe defaults if possible.
_ = code:load_file(public_key),
HasCacertsGet = erlang:function_exported(public_key, cacerts_get, 0),

case HasCacertsGet of
true ->
[{ssl, [
{verify, verify_peer},
{cacerts, public_key:cacerts_get()},
{depth, 3},
{customize_hostname_check, [
{match_fun, public_key:pkix_verify_hostname_match_fun(https)}
]}
]}|HTTPOptions0];
false ->
io:format(
"[hex_http_httpc] using default ssl options which are insecure.~n"
"Configure your adapter with: "
"{hex_http_httpc, #{http_options => [{ssl, SslOpts}]}}~n"
"or upgrade Erlang/OTP to OTP-25 or later.~n"
),
HTTPOptions0
end;
true ->
ok
HTTPOptions0
end,

Request = build_request(URI, ReqHeaders, Body),
Expand Down

0 comments on commit 1352f5c

Please sign in to comment.