Skip to content

Commit

Permalink
Fix ssl check hostname options for wildcard certificate
Browse files Browse the repository at this point in the history
  • Loading branch information
@belltoy
belltoy committed Jun 12, 2021
1 parent ee12ac2 commit 4bf81cb
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
1 change: 1 addition & 0 deletions rebar.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@

{erl_opts, [warnings_as_errors,
{platform_define, "^(2[1-9])|(20\\\\.3)", filelib_find_source},
{platform_define, "^(1|(20))", no_customize_hostname_check},
{platform_define, "^(20)", fun_stacktrace}
]}.

Expand Down
14 changes: 12 additions & 2 deletions src/rebar_utils.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1077,14 +1077,24 @@ ssl_opts(ssl_verify_enabled, Url) ->
VerifyFun = {fun ssl_verify_hostname:verify_fun/3,
[{check_hostname, Hostname}]},
CACerts = get_cacerts(),
[{verify, verify_peer}, {depth, 2}, {cacerts, CACerts},
{partial_chain, fun partial_chain/1}, {verify_fun, VerifyFun}];
SslOpts = [{verify, verify_peer}, {depth, 2}, {cacerts, CACerts},
{partial_chain, fun partial_chain/1}, {verify_fun, VerifyFun}],
check_hostname_opt(SslOpts);
false ->
?WARN("Insecure HTTPS request (peer verification disabled), "
"please update to OTP 17.4 or later", []),
[{verify, verify_none}]
end.

-ifdef(no_customize_hostname_check).
check_hostname_opt(Opts) ->
Opts.
-else.
check_hostname_opt(Opts) ->
MatchFun = public_key:pkix_verify_hostname_match_fun(https),
[{customize_hostname_check, [{match_fun, MatchFun}]} | Opts].
-endif.

-spec partial_chain(Certs) -> Res when
Certs :: list(any()),
Res :: unknown_ca | {trusted_ca, any()}.
Expand Down

0 comments on commit 4bf81cb

Please sign in to comment.