From e57b4fb15cde710b3ae09b1d18f148f6999a63cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= Date: Tue, 19 Nov 2024 16:28:44 +0100 Subject: [PATCH] Secure SSL defaults for HTTPC for OTP-25+ (#153) --- src/hex_http_httpc.erl | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/src/hex_http_httpc.erl b/src/hex_http_httpc.erl index bb32e81..6459e21 100644 --- a/src/hex_http_httpc.erl +++ b/src/hex_http_httpc.erl @@ -20,24 +20,38 @@ request(Method, URI, ReqHeaders, Body, AdapterConfig) when is_binary(URI) -> Profile = maps:get(profile, AdapterConfig, default), - HTTPOptions = maps:get(http_options, AdapterConfig, []), + HTTPOptions0 = maps:get(http_options, AdapterConfig, []), HTTPS = case URI of <<"https", _/binary>> -> true; _ -> false end, - SSLOpts = proplists:get_value(ssl, HTTPOptions), + SSLOpts0 = proplists:get_value(ssl, HTTPOptions0), - if - HTTPS == true andalso SSLOpts == undefined -> - io:format( - "[hex_http_httpc] using default ssl options which are insecure.~n" - "Configure your adapter with: " - "{hex_http_httpc, #{http_options => [{ssl, SslOpts}]}}~n" - ); + HTTPOptions = if + HTTPS == true andalso SSLOpts0 == undefined -> + %% Add safe defaults if possible. + try + [{ssl, [ + {verify, verify_peer}, + {cacerts, public_key:cacerts_get()}, + {depth, 3}, + {customize_hostname_check, [ + {match_fun, public_key:pkix_verify_hostname_match_fun(https)} + ]} + ]}|HTTPOptions0] + catch _:_ -> + io:format( + "[hex_http_httpc] using default ssl options which are insecure.~n" + "Configure your adapter with: " + "{hex_http_httpc, #{http_options => [{ssl, SslOpts}]}}~n" + "or upgrade Erlang/OTP to OTP-25 or later.~n" + ), + HTTPOptions0 + end; true -> - ok + HTTPOptions0 end, Request = build_request(URI, ReqHeaders, Body),