diff options
| author | href <href@random.sh> | 2020-07-08 15:12:09 +0200 |
|---|---|---|
| committer | rinpatch <rinpatch@sdf.org> | 2020-07-15 15:26:35 +0300 |
| commit | ce1a42bd04bcf352ea1565b411444a98261b0a96 (patch) | |
| tree | baddfcb4b430347eeb4d53a858ee19e4546e5b12 | |
| parent | ebfa59168942df9f8df73972a407cd2beada41e1 (diff) | |
| download | pleroma-ce1a42bd04bcf352ea1565b411444a98261b0a96.tar.gz | |
Simplify TLS opts
- `verify_fun` is not useful now
- use `customize_check_hostname` (OTP 20+ so OK)
- `partial_chain` is useless as of OTP 21.1 (wasn't there, but hackney/..
uses it)
| -rw-r--r-- | lib/pleroma/gun/conn.ex | 5 | ||||
| -rw-r--r-- | lib/pleroma/http/adapter_helper/gun.ex | 28 |
2 files changed, 2 insertions, 31 deletions
diff --git a/lib/pleroma/gun/conn.ex b/lib/pleroma/gun/conn.ex index 9dc8880db..5c12e8153 100644 --- a/lib/pleroma/gun/conn.ex +++ b/lib/pleroma/gun/conn.ex @@ -28,9 +28,8 @@ defmodule Pleroma.Gun.Conn do cacertfile: CAStore.file_path(), depth: 20, reuse_sessions: false, - verify_fun: - {&:ssl_verify_hostname.verify_fun/3, - [check_hostname: Pleroma.HTTP.AdapterHelper.format_host(host)]} + log_level: :warning, + customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)] ] tls_opts = diff --git a/lib/pleroma/http/adapter_helper/gun.ex b/lib/pleroma/http/adapter_helper/gun.ex index 74677ddb5..b4ff8306c 100644 --- a/lib/pleroma/http/adapter_helper/gun.ex +++ b/lib/pleroma/http/adapter_helper/gun.ex @@ -39,36 +39,8 @@ defmodule Pleroma.HTTP.AdapterHelper.Gun do defp add_scheme_opts(opts, %{scheme: "https"}) do opts |> Keyword.put(:certificates_verification, true) - |> Keyword.put(:tls_opts, - log_level: :warning, - customize_hostname_check: [match_fun: &ssl_match_fun/2] - ) end - # ssl_match_fun is adapted from [Mint](https://github.com/elixir-mint/mint) - # Copyright 2018 Eric Meadows-Jönsson and Andrea Leopardi - - # Wildcard domain handling for DNS ID entries in the subjectAltName X.509 - # extension. Note that this is a subset of the wildcard patterns implemented - # by OTP when matching against the subject CN attribute, but this is the only - # wildcard usage defined by the CA/Browser Forum's Baseline Requirements, and - # therefore the only pattern used in commercially issued certificates. - defp ssl_match_fun({:dns_id, reference}, {:dNSName, [?*, ?. | presented]}) do - case domain_without_host(reference) do - '' -> - :default - - domain -> - :string.casefold(domain) == :string.casefold(presented) - end - end - - defp ssl_match_fun(_reference, _presented), do: :default - - defp domain_without_host([]), do: [] - defp domain_without_host([?. | domain]), do: domain - defp domain_without_host([_ | more]), do: domain_without_host(more) - @spec get_conn(URI.t(), keyword()) :: {:ok, keyword()} | {:error, atom()} def get_conn(uri, opts) do case ConnectionPool.get_conn(uri, opts) do |