From 4bf81cb44e665983089f759047dffade166c3810 Mon Sep 17 00:00:00 2001 From: belltoy Date: Sat, 12 Jun 2021 18:42:47 +0800 Subject: [PATCH] Fix ssl check hostname options for wildcard certificate --- rebar.config | 1 + src/rebar_utils.erl | 14 ++++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/rebar.config b/rebar.config index 55e748f6e..faf47cb83 100644 --- a/rebar.config +++ b/rebar.config @@ -34,6 +34,7 @@ {erl_opts, [warnings_as_errors, {platform_define, "^(2[1-9])|(20\\\\.3)", filelib_find_source}, + {platform_define, "^(1|(20))", no_customize_hostname_check}, {platform_define, "^(20)", fun_stacktrace} ]}. diff --git a/src/rebar_utils.erl b/src/rebar_utils.erl index fb04876ff..d5a6b4b8b 100644 --- a/src/rebar_utils.erl +++ b/src/rebar_utils.erl @@ -1077,14 +1077,24 @@ ssl_opts(ssl_verify_enabled, Url) -> VerifyFun = {fun ssl_verify_hostname:verify_fun/3, [{check_hostname, Hostname}]}, CACerts = get_cacerts(), - [{verify, verify_peer}, {depth, 2}, {cacerts, CACerts}, - {partial_chain, fun partial_chain/1}, {verify_fun, VerifyFun}]; + SslOpts = [{verify, verify_peer}, {depth, 2}, {cacerts, CACerts}, + {partial_chain, fun partial_chain/1}, {verify_fun, VerifyFun}], + check_hostname_opt(SslOpts); false -> ?WARN("Insecure HTTPS request (peer verification disabled), " "please update to OTP 17.4 or later", []), [{verify, verify_none}] end. +-ifdef(no_customize_hostname_check). +check_hostname_opt(Opts) -> + Opts. +-else. +check_hostname_opt(Opts) -> + MatchFun = public_key:pkix_verify_hostname_match_fun(https), + [{customize_hostname_check, [{match_fun, MatchFun}]} | Opts]. +-endif. + -spec partial_chain(Certs) -> Res when Certs :: list(any()), Res :: unknown_ca | {trusted_ca, any()}.