Is Wreq suitable for HTTPS applications?

[bdesham]

One of the items in the TODO is

TLS server certificate verification

Does this mean that anyone can create (self-sign) a certificate for e.g. www.google.com and Wreq will accept this certificate?

[bdesham]

It seems that Wreq (correctly) rejects self-signed certificates. I ran this example code

#!/usr/bin/env stack
-- stack --install-ghc --resolver lts-5.12 runghc --package lens --package wreq

{-# LANGUAGE OverloadedStrings #-}

import Control.Lens
import Data.ByteString.Char8 (unpack)
import Network.Wreq

main = do
    r <- get "https://www.example.com"
    let t = r ^. responseHeader "Content-Type"
    putStrLn $ unpack t

replacing www.example.com with a test server that had a self-signed certificate, and I got an error:

test.hs: TlsExceptionHostPort (HandshakeFailed (Error_Protocol ("certificate has unknown CA",True,UnknownCa))) "www.example.com" 443

I think that the TODO.md simply needs to be updated.

[oherrala]

TryTLS test tool (https://github.com/ouspg/trytls) has some tests for HTTPS (mostly certificate handling).

I have contributed Wreq stub: (https://github.com/ouspg/trytls/tree/master/stubs/haskell-wreq)

Currently running TryTLS tests for Wreq looks like:

$ trytls -t .https.all_tests -- docker run --rm test-wreq
PASS badssl(False, 'expired')
FAIL badssl(False, 'wrong.host')
PASS badssl(False, 'self-signed')
PASS badssl(True, 'sha256')
PASS badssl(True, '1000-sans')
PASS badssl(True, '10000-sans')
PASS badssl(False, 'incomplete-chain')
FAIL badssl(False, 'pinning-test')
PASS badssl(False, 'superfish')
PASS badssl(False, 'edellroot')
PASS badssl(False, 'dsdtestprovider')
SKIP local(True, 'localhost', callback=<function https_callback at 0x10f069230>)
SKIP local(False, 'nothing', callback=<function https_callback at 0x10f069230>)

That one fail with "wrong.host" is reported in #84. With this set of tests, Wreq looks good for HTTPS connections.

[bdesham]

Wow, this is great work! Thanks for doing this!