search

edgurgel / httpoison

Yet Another HTTP client for Elixir powered by hackney
https://hex.pm/packages/httpoison
MIT License
2.22k stars 339 forks source link

SSL options replace default options (instead of just being added to them) #458

Closed bortzmeyer closed 1 year ago

bortzmeyer commented 2 years ago

I wanted to add a :log_level option to the SSL module. Many examples are on the Web or in HTTPoison documentation but it seems to me they are all wrong: using :ssl in HTTPoison options replace the set of SSL options, creating a lot of problems. You have, as mentioned here to pass the entire set of options.

For instance:

HTTPoison.get("https://example.com/", [], [ ssl: [{:versions, [:'tlsv1.2']}] ])

Does not produce the expected result (it disables SSL validation, for instance). You have to be more verbose:

HTTPoison.get("https://example.com", [], [ ssl: [{:versions, [:'tlsv1.2']}, {:verify, :verify_peer}, {:cacertfile, :certifi.cacertfile()}]])
Hentioe commented 2 years ago

You unintentionally answered some of my doubts, thank you 👍

bortzmeyer commented 2 years ago

You unintentionally answered some of my doubts, thank you +1

It seems to it may be a security issue as well.