Skip to content

Commit b3ea4ea

Browse files
aboroskabenoitc
aboroska
authored and
benoitc
committed
document self-signed certificate usage (#578)
Also document how to use client certificates, and CRLs.
1 parent dbc1249 commit b3ea4ea

File tree

3 files changed

+133
-0
lines changed

3 files changed

+133
-0
lines changed

README.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -423,6 +423,51 @@ Options = [{follow_redirect, true}, {max_redirect, 5}],
423423
{ok, Body1} = hackney:body(Ref).
424424
```
425425

426+
### Use SSL/TLS with self signed certificates
427+
428+
Hackney uses CA bundles adapted from Mozilla by
429+
[certifi](https://hex.pm/packages/certifi).
430+
Recognising an organisation specific (self signed) certificates is possible
431+
by providing the necessary `ssl_options`. Note that `ssl_options` overrides all
432+
options passed to the ssl module.
433+
434+
ex (>= Erlang 21):
435+
436+
```erlang
437+
438+
CACertFile = <path_to_self_signed_ca_bundle>,
439+
CrlCheckTimeout = 5000,
440+
SSLOptions = [
441+
{verify, verify_peer},
442+
{versions, ['tlsv1.2']},
443+
{cacertfile, CACertFile},
444+
{crl_check, peer},
445+
{crl_cache, {ssl_crl_cache, {internal, [{http, CrlCheckTimeout}]}}},
446+
{customize_hostname_check,
447+
[{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}],
448+
449+
Method = get,
450+
URL = "http://my-organisation/",
451+
ReqHeaders = [],
452+
ReqBody = <<>>,
453+
Options = [{ssl_options, SSLoptions}],
454+
{ok, S, H, Ref} = hackney:request(Method, URL, ReqHeaders,
455+
ReqBody, Options),
456+
457+
%% To provide client certificate:
458+
459+
CertFile = <path_to_client_certificate>,
460+
KeyFile = <path_to_client_private_key>,
461+
SSLOptions1 = SSLoptions ++ [
462+
{certfile, CertFile},
463+
{keyfile, KeyFile}
464+
],
465+
Options1 = [{ssl_options, SSLoptions1}],
466+
{ok, S1, H1, Ref1} = hackney:request(Method, URL, ReqHeaders,
467+
ReqBody, Options1).
468+
469+
```
470+
426471
### Proxy a connection
427472

428473
#### HTTP Proxy

doc/README.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -423,6 +423,51 @@ Options = [{follow_redirect, true}, {max_redirect, 5}],
423423
{ok, Body1} = hackney:body(Ref).
424424
```
425425

426+
### Use SSL/TLS with self signed certificates
427+
428+
Hackney uses CA bundles adapted from Mozilla by
429+
[certifi](https://hex.pm/packages/certifi).
430+
Recognising an organisation specific (self signed) certificates is possible
431+
by providing the necessary `ssl_options`. Note that `ssl_options` overrides all
432+
options passed to the ssl module.
433+
434+
ex (>= Erlang 21):
435+
436+
```erlang
437+
438+
CACertFile = <path_to_self_signed_ca_bundle>,
439+
CrlCheckTimeout = 5000,
440+
SSLOptions = [
441+
{verify, verify_peer},
442+
{versions, ['tlsv1.2']},
443+
{cacertfile, CACertFile},
444+
{crl_check, peer},
445+
{crl_cache, {ssl_crl_cache, {internal, [{http, CrlCheckTimeout}]}}},
446+
{customize_hostname_check,
447+
[{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}],
448+
449+
Method = get,
450+
URL = "http://my-organisation/",
451+
ReqHeaders = [],
452+
ReqBody = <<>>,
453+
Options = [{ssl_options, SSLoptions}],
454+
{ok, S, H, Ref} = hackney:request(Method, URL, ReqHeaders,
455+
ReqBody, Options),
456+
457+
%% To provide client certificate:
458+
459+
CertFile = <path_to_client_certificate>,
460+
KeyFile = <path_to_client_private_key>,
461+
SSLOptions1 = SSLoptions ++ [
462+
{certfile, CertFile},
463+
{keyfile, KeyFile}
464+
],
465+
Options1 = [{ssl_options, SSLoptions1}],
466+
{ok, S1, H1, Ref1} = hackney:request(Method, URL, ReqHeaders,
467+
ReqBody, Options1).
468+
469+
```
470+
426471
### Proxy a connection
427472

428473
#### HTTP Proxy

doc/overview.edoc

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -419,6 +419,49 @@ Options = [{follow_redirect, true}, {max_redirect, 5}],
419419
ReqBody, Options),
420420
{ok, Body1} = hackney:body(Ref).</pre>
421421

422+
### Use SSL/TLS with self signed certificates
423+
424+
Hackney uses CA bundles adapted from Mozilla by
425+
[certifi](https://hex.pm/packages/certifi).
426+
Recognising an organisation specific (self signed) certificates is possible
427+
by providing the necessary `ssl_options'. Note that `ssl_options' overrides all
428+
options passed to the ssl module.
429+
430+
ex (>= Erlang 21):
431+
432+
<pre lang="erlang">
433+
CACertFile = &lt;path_to_self_signed_ca_bundle>,
434+
CrlCheckTimeout = 5000,
435+
SSLOptions = [
436+
{verify, verify_peer},
437+
{versions, ['tlsv1.2']},
438+
{cacertfile, CACertFile},
439+
{crl_check, peer},
440+
{crl_cache, {ssl_crl_cache, {internal, [{http, CrlCheckTimeout}]}}},
441+
{customize_hostname_check,
442+
[{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}],
443+
444+
Method = get,
445+
URL = "http://my-organisation/",
446+
ReqHeaders = [],
447+
ReqBody = &lt;&lt;>>,
448+
Options = [{ssl_options, SSLoptions}],
449+
{ok, S, H, Ref} = hackney:request(Method, URL, ReqHeaders,
450+
ReqBody, Options),
451+
452+
%% To provide client certificate:
453+
454+
CertFile = &lt;path_to_client_certificate>,
455+
KeyFile = &lt;path_to_client_private_key>,
456+
SSLOptions1 = SSLoptions ++ [
457+
{certfile, CertFile},
458+
{keyfile, KeyFile}
459+
],
460+
Options1 = [{ssl_options, SSLoptions1}],
461+
{ok, S1, H1, Ref1} = hackney:request(Method, URL, ReqHeaders,
462+
ReqBody, Options1).
463+
</pre>
464+
422465
### Proxy a connection
423466

424467
#### HTTP Proxy

0 commit comments

Comments
 (0)