From 17962a2825b008dad1f0fdd3902ba267f75de10f Mon Sep 17 00:00:00 2001
From: Doug Rohrer <drohrer@basho.com>
Date: Wed, 11 Feb 2015 16:26:43 -0500
Subject: [PATCH] =?UTF-8?q?Only=20refuse=20same=20common=20name=20if=20Com?=
 =?UTF-8?q?monName=20isn=E2=80=99t=20a=20wildcard=20CN.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/riak_core_ssl_util.erl | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/riak_core_ssl_util.erl b/src/riak_core_ssl_util.erl
index 89a8dd6d5..5b589f706 100644
--- a/src/riak_core_ssl_util.erl
+++ b/src/riak_core_ssl_util.erl
@@ -172,6 +172,12 @@ load_cert(Cert) ->
                     Type == 'Certificate', Cipher == 'not_encrypted']
     end.
 
+%% Reject another node whose common name is the same as ours unless it's a wildcard
+invalid_cn_pair([$* | _], _) ->
+    false;
+invalid_cn_pair(LeftCN, RightCN) ->
+    string:to_lower(LeftCN) == string:to_lower(RightCN).
+
 %% Custom SSL verification function for checking common names against the
 %% whitelist.
 verify_ssl(_, {bad_cert, _} = Reason, _) ->
@@ -186,7 +192,7 @@ verify_ssl(_, valid_peer, undefined) ->
     {fail, bad_local_common_name};
 verify_ssl(Cert, valid_peer, {App, MyCommonName}) ->
     CommonName = get_common_name(Cert),
-    case string:to_lower(CommonName) == string:to_lower(MyCommonName) of
+    case invalid_cn_pair(CommonName, MyCommonName) of
         true ->
             lager:error("Peer certificate's common name matches local "
                 "certificate's common name: ~p", [CommonName]),