Gun adapter helper: fix wildcard cert issues on OTP 23
See https://bugs.erlang.org/browse/ERL-1260 for more info. The ssl match function is basically copied from mint, except that `:string.lowercase/1` was replaced by `:string.casefold`. It was a TODO in mint's code, so might as well do it since we don't need to support OTP <20. Closes #1834
This commit is contained in:
parent
007843b75e
commit
37f1e781cb
@ -39,9 +39,36 @@ defp add_scheme_opts(opts, %{scheme: "http"}), do: opts
|
||||
defp add_scheme_opts(opts, %{scheme: "https"}) do
|
||||
opts
|
||||
|> Keyword.put(:certificates_verification, true)
|
||||
|> Keyword.put(:tls_opts, log_level: :warning)
|
||||
|> Keyword.put(:tls_opts,
|
||||
log_level: :warning,
|
||||
customize_hostname_check: [match_fun: &ssl_match_fun/2]
|
||||
)
|
||||
end
|
||||
|
||||
# ssl_match_fun is adapted from [Mint](https://github.com/elixir-mint/mint)
|
||||
# Copyright 2018 Eric Meadows-Jönsson and Andrea Leopardi
|
||||
|
||||
# Wildcard domain handling for DNS ID entries in the subjectAltName X.509
|
||||
# extension. Note that this is a subset of the wildcard patterns implemented
|
||||
# by OTP when matching against the subject CN attribute, but this is the only
|
||||
# wildcard usage defined by the CA/Browser Forum's Baseline Requirements, and
|
||||
# therefore the only pattern used in commercially issued certificates.
|
||||
defp ssl_match_fun({:dns_id, reference}, {:dNSName, [?*, ?. | presented]}) do
|
||||
case domain_without_host(reference) do
|
||||
'' ->
|
||||
:default
|
||||
|
||||
domain ->
|
||||
:string.casefold(domain) == :string.casefold(presented)
|
||||
end
|
||||
end
|
||||
|
||||
defp ssl_match_fun(_reference, _presented), do: :default
|
||||
|
||||
defp domain_without_host([]), do: []
|
||||
defp domain_without_host([?. | domain]), do: domain
|
||||
defp domain_without_host([_ | more]), do: domain_without_host(more)
|
||||
|
||||
@spec get_conn(URI.t(), keyword()) :: {:ok, keyword()} | {:error, atom()}
|
||||
def get_conn(uri, opts) do
|
||||
case ConnectionPool.get_conn(uri, opts) do
|
||||
|
Loading…
Reference in New Issue
Block a user