diff options
| author | rinpatch <rinpatch@sdf.org> | 2020-06-23 20:36:21 +0300 |
|---|---|---|
| committer | rinpatch <rinpatch@sdf.org> | 2020-07-15 15:26:35 +0300 |
| commit | 37f1e781cb19594a6534efbc4d28e793d5960915 (patch) | |
| tree | 8b8fdac8ff3fa69c8b16e9c7b823e85b74885ec5 | |
| parent | 007843b75e0c7087dad1ef932224b21327d81793 (diff) | |
| download | pleroma-37f1e781cb19594a6534efbc4d28e793d5960915.tar.gz | |
Gun adapter helper: fix wildcard cert issues on OTP 23
See https://bugs.erlang.org/browse/ERL-1260 for more info.
The ssl match function is basically copied from mint, except
that `:string.lowercase/1` was replaced by `:string.casefold`.
It was a TODO in mint's code, so might as well do it since we don't need
to support OTP <20.
Closes #1834
| -rw-r--r-- | lib/pleroma/http/adapter_helper/gun.ex | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/lib/pleroma/http/adapter_helper/gun.ex b/lib/pleroma/http/adapter_helper/gun.ex index 883f7f6f7..07aaed7f6 100644 --- a/lib/pleroma/http/adapter_helper/gun.ex +++ b/lib/pleroma/http/adapter_helper/gun.ex @@ -39,9 +39,36 @@ defmodule Pleroma.HTTP.AdapterHelper.Gun do defp add_scheme_opts(opts, %{scheme: "https"}) do opts |> Keyword.put(:certificates_verification, true) - |> Keyword.put(:tls_opts, log_level: :warning) + |> Keyword.put(:tls_opts, + log_level: :warning, + customize_hostname_check: [match_fun: &ssl_match_fun/2] + ) end + # ssl_match_fun is adapted from [Mint](https://github.com/elixir-mint/mint) + # Copyright 2018 Eric Meadows-Jönsson and Andrea Leopardi + + # Wildcard domain handling for DNS ID entries in the subjectAltName X.509 + # extension. Note that this is a subset of the wildcard patterns implemented + # by OTP when matching against the subject CN attribute, but this is the only + # wildcard usage defined by the CA/Browser Forum's Baseline Requirements, and + # therefore the only pattern used in commercially issued certificates. + defp ssl_match_fun({:dns_id, reference}, {:dNSName, [?*, ?. | presented]}) do + case domain_without_host(reference) do + '' -> + :default + + domain -> + :string.casefold(domain) == :string.casefold(presented) + end + end + + defp ssl_match_fun(_reference, _presented), do: :default + + defp domain_without_host([]), do: [] + defp domain_without_host([?. | domain]), do: domain + defp domain_without_host([_ | more]), do: domain_without_host(more) + @spec get_conn(URI.t(), keyword()) :: {:ok, keyword()} | {:error, atom()} def get_conn(uri, opts) do case ConnectionPool.get_conn(uri, opts) do |