ash/akkoma
1
0
Fork 0
forked from AkkomaGang/akkoma
Code Issues Pull requests Projects Releases Packages Wiki Activity

Simplify TLS opts

Browse source 
- `verify_fun` is not useful now
- use `customize_check_hostname` (OTP 20+ so OK)
- `partial_chain` is useless as of OTP 21.1 (wasn't there, but hackney/..
uses it)
This commit is contained in:
href 2020-07-08 15:12:09 +02:00 committed by rinpatch
parent ebfa591689
commit ce1a42bd04
2 changed files with 2 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
lib/pleroma/gun/conn.ex
View file

@ -28,9 +28,8 @@ defp maybe_add_tls_opts(opts, %URI{scheme: "https", host: host}) do
cacertfile: CAStore.file_path(), cacertfile: CAStore.file_path(),
depth: 20, depth: 20,
reuse_sessions: false, reuse_sessions: false,
verify_fun: log_level: :warning,
{&:ssl_verify_hostname.verify_fun/3, customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)]
[check_hostname: Pleroma.HTTP.AdapterHelper.format_host(host)]}
] ]
tls_opts = tls_opts =

28
lib/pleroma/http/adapter_helper/gun.ex
View file

@ -39,36 +39,8 @@ defp add_scheme_opts(opts, %{scheme: "http"}), do: opts
defp add_scheme_opts(opts, %{scheme: "https"}) do defp add_scheme_opts(opts, %{scheme: "https"}) do
opts opts
|> Keyword.put(:certificates_verification, true) |> Keyword.put(:certificates_verification, true)
|> Keyword.put(:tls_opts,
log_level: :warning,
customize_hostname_check: [match_fun: &ssl_match_fun/2]
)
end end
# ssl_match_fun is adapted from [Mint](https://github.com/elixir-mint/mint)
# Copyright 2018 Eric Meadows-Jönsson and Andrea Leopardi
# Wildcard domain handling for DNS ID entries in the subjectAltName X.509
# extension. Note that this is a subset of the wildcard patterns implemented
# by OTP when matching against the subject CN attribute, but this is the only
# wildcard usage defined by the CA/Browser Forum's Baseline Requirements, and
# therefore the only pattern used in commercially issued certificates.
defp ssl_match_fun({:dns_id, reference}, {:dNSName, [?*, ?. | presented]}) do
case domain_without_host(reference) do
'' ->
:default
domain ->
:string.casefold(domain) == :string.casefold(presented)
end
end
defp ssl_match_fun(_reference, _presented), do: :default
defp domain_without_host([]), do: []
defp domain_without_host([?. | domain]), do: domain
defp domain_without_host([_ | more]), do: domain_without_host(more)
@spec get_conn(URI.t(), keyword()) :: {:ok, keyword()} | {:error, atom()} @spec get_conn(URI.t(), keyword()) :: {:ok, keyword()} | {:error, atom()}
def get_conn(uri, opts) do def get_conn(uri, opts) do
case ConnectionPool.get_conn(uri, opts) do case ConnectionPool.get_conn(uri, opts) do