hazardfn
HTTPoison vs HTTPotion
I suppose this question is effectively hackney vs. ibrowse but we are at a point in our project where we have to make a choice between the 2 (or maybe there is a 3rd somebody wants to highlight?)
Just wondering if anybody has any constructive reasons as to why they would use one over the other?
Marked As Solved
voltone
Decided to write a blog post on the security posture of Elixir HTTPS clients. Linked here for future readers of this post:
https://blog.voltone.net/post/7
Also Liked
voltone
:ssl has improved a bit: it removed support for SSL 3.0, it added TLS 1.3 (still a bit flaky) along with some new ciphers/curves, and better handling of out-of-order certificates coming from the server. But what hasn’t changed is the default of verify: :verify_none, both for :ssl.connect/2,3,4 and the :httpc application.
HTTPotion seems to be ‘soft deprecated’.
Hackney has had a few issues lately due to :ssl changes. Sometimes it was possible to work around them, until a new version would land, by passing custom ssl options. The major catch there is that any custom ssl options passed to Hackney (and therefore HTTPoison and Tesla) will overwrite the secure defaults. So passing something like ssl: [versions: [:tlsv1_2]] reverts the :verify option back to :verify_none!
Mint attempts to merge custom ssl options with its own secure defaults (which is not trivial to do, since the individual options are inter-dependent). Any libraries that build on Mint should be fine too.
You can consider my ElixirConf EU 2019 talk ‘Learn you some :ssl for much security’ to be an updated version of the blog post referenced earlier in this thread. It is already a year old, but still mostly relevant.
hazardfn
This performance analysis is interesting, especially if HTTPotion by default isn’t running an “optimized” ibrowse - perhaps the optimization itself (increased session count to 300 and max pipeline count to 1) is irrelevant for anything but benchmarks.
The README does a very bad job of explaining exactly what these results mean to the developer.
I am inclined to go with HTTPoison based on the results of this alone.








