Possible to bypass cert verification in Requests.jl or HTTP.jl?

josefsachs · July 24, 2017, 12:17am

Is there a way that I can bypass cert verification in Requests.jl or HTTP.jl (i.e., as a client),
similar to curl’s -k option?

       -k, --insecure
              (TLS)  By default, every SSL connection curl makes is verified to be secure. This option allows curl
              to proceed and operate even for server connections otherwise considered insecure.

              The server connection is verified by making sure the server's certificate contains  the  right  name
              and verifies successfully using the cert store.

              See this online resource for further details:
               https://curl.haxx.se/docs/sslcerts.html

              See also --proxy-insecure and --cacert.

quinnj · July 24, 2017, 1:05am

It’s an MbedTLS.jl option, so should work with either Requests or HTTP. With HTTP.jl, you’d do something like

using HTTP, MbedTLS
client = HTTP.Client(tlsconfig=MbedTLS.SSLConfig(false))
HTTP.get(client, url; options...)

josefsachs · July 24, 2017, 10:22am

Thanks.

My colleague Keith Mason pointed out the following for Requests.jl.
https://github.com/JuliaWeb/Requests.jl/issues/126

malmaud · July 24, 2017, 6:47pm

I introduced the MbedTLS integration to Requests, so it would logically fall to me to write that documentation. There isn’t much motivation though since HTTP is intended to replace Requests.