Skip to content

Commit

Permalink
document self-signed certificate usage (#578)
Browse files Browse the repository at this point in the history 
Also document how to use client certificates, and CRLs.
  • Loading branch information
@aboroska @benoitc
aboroska authored and benoitc committed Jul 25, 2019
1 parent dbc1249 commit b3ea4ea
Show file tree
Hide file tree
Showing 3 changed files with 133 additions and 0 deletions.
45 changes: 45 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -423,6 +423,51 @@ Options = [{follow_redirect, true}, {max_redirect, 5}],
{ok, Body1} = hackney:body(Ref).
```

### Use SSL/TLS with self signed certificates

Hackney uses CA bundles adapted from Mozilla by
[certifi](https://hex.pm/packages/certifi).
Recognising an organisation specific (self signed) certificates is possible
by providing the necessary `ssl_options`. Note that `ssl_options` overrides all
options passed to the ssl module.

ex (>= Erlang 21):

```erlang

CACertFile = <path_to_self_signed_ca_bundle>,
CrlCheckTimeout = 5000,
SSLOptions = [
{verify, verify_peer},
{versions, ['tlsv1.2']},
{cacertfile, CACertFile},
{crl_check, peer},
{crl_cache, {ssl_crl_cache, {internal, [{http, CrlCheckTimeout}]}}},
{customize_hostname_check,
[{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}],

Method = get,
URL = "http://my-organisation/",
ReqHeaders = [],
ReqBody = <<>>,
Options = [{ssl_options, SSLoptions}],
{ok, S, H, Ref} = hackney:request(Method, URL, ReqHeaders,
ReqBody, Options),

%% To provide client certificate:

CertFile = <path_to_client_certificate>,
KeyFile = <path_to_client_private_key>,
SSLOptions1 = SSLoptions ++ [
{certfile, CertFile},
{keyfile, KeyFile}
],
Options1 = [{ssl_options, SSLoptions1}],
{ok, S1, H1, Ref1} = hackney:request(Method, URL, ReqHeaders,
ReqBody, Options1).

```

### Proxy a connection

#### HTTP Proxy
Expand Down
45 changes: 45 additions & 0 deletions doc/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -423,6 +423,51 @@ Options = [{follow_redirect, true}, {max_redirect, 5}],
{ok, Body1} = hackney:body(Ref).
```

### Use SSL/TLS with self signed certificates

Hackney uses CA bundles adapted from Mozilla by
[certifi](https://hex.pm/packages/certifi).
Recognising an organisation specific (self signed) certificates is possible
by providing the necessary `ssl_options`. Note that `ssl_options` overrides all
options passed to the ssl module.

ex (>= Erlang 21):

```erlang

CACertFile = <path_to_self_signed_ca_bundle>,
CrlCheckTimeout = 5000,
SSLOptions = [
{verify, verify_peer},
{versions, ['tlsv1.2']},
{cacertfile, CACertFile},
{crl_check, peer},
{crl_cache, {ssl_crl_cache, {internal, [{http, CrlCheckTimeout}]}}},
{customize_hostname_check,
[{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}],

Method = get,
URL = "http://my-organisation/",
ReqHeaders = [],
ReqBody = <<>>,
Options = [{ssl_options, SSLoptions}],
{ok, S, H, Ref} = hackney:request(Method, URL, ReqHeaders,
ReqBody, Options),

%% To provide client certificate:

CertFile = <path_to_client_certificate>,
KeyFile = <path_to_client_private_key>,
SSLOptions1 = SSLoptions ++ [
{certfile, CertFile},
{keyfile, KeyFile}
],
Options1 = [{ssl_options, SSLoptions1}],
{ok, S1, H1, Ref1} = hackney:request(Method, URL, ReqHeaders,
ReqBody, Options1).

```

### Proxy a connection

#### HTTP Proxy
Expand Down
43 changes: 43 additions & 0 deletions doc/overview.edoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -419,6 +419,49 @@ Options = [{follow_redirect, true}, {max_redirect, 5}],
ReqBody, Options),
{ok, Body1} = hackney:body(Ref).</pre>

### Use SSL/TLS with self signed certificates

Hackney uses CA bundles adapted from Mozilla by
[certifi](https://hex.pm/packages/certifi).
Recognising an organisation specific (self signed) certificates is possible
by providing the necessary `ssl_options'. Note that `ssl_options' overrides all
options passed to the ssl module.

ex (>= Erlang 21):

<pre lang="erlang">
CACertFile = &lt;path_to_self_signed_ca_bundle>,
CrlCheckTimeout = 5000,
SSLOptions = [
{verify, verify_peer},
{versions, ['tlsv1.2']},
{cacertfile, CACertFile},
{crl_check, peer},
{crl_cache, {ssl_crl_cache, {internal, [{http, CrlCheckTimeout}]}}},
{customize_hostname_check,
[{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}],

Method = get,
URL = "http://my-organisation/",
ReqHeaders = [],
ReqBody = &lt;&lt;>>,
Options = [{ssl_options, SSLoptions}],
{ok, S, H, Ref} = hackney:request(Method, URL, ReqHeaders,
ReqBody, Options),

%% To provide client certificate:

CertFile = &lt;path_to_client_certificate>,
KeyFile = &lt;path_to_client_private_key>,
SSLOptions1 = SSLoptions ++ [
{certfile, CertFile},
{keyfile, KeyFile}
],
Options1 = [{ssl_options, SSLoptions1}],
{ok, S1, H1, Ref1} = hackney:request(Method, URL, ReqHeaders,
ReqBody, Options1).
</pre>

### Proxy a connection

#### HTTP Proxy
Expand Down

0 comments on commit b3ea4ea

Please sign in to comment.