forked from YokaiRick/akkoma
Simplify TLS opts
- `verify_fun` is not useful now - use `customize_check_hostname` (OTP 20+ so OK) - `partial_chain` is useless as of OTP 21.1 (wasn't there, but hackney/.. uses it)
This commit is contained in:
parent
ebfa591689
commit
ce1a42bd04
2 changed files with 2 additions and 31 deletions
|
@ -28,9 +28,8 @@ defp maybe_add_tls_opts(opts, %URI{scheme: "https", host: host}) do
|
||||||
cacertfile: CAStore.file_path(),
|
cacertfile: CAStore.file_path(),
|
||||||
depth: 20,
|
depth: 20,
|
||||||
reuse_sessions: false,
|
reuse_sessions: false,
|
||||||
verify_fun:
|
log_level: :warning,
|
||||||
{&:ssl_verify_hostname.verify_fun/3,
|
customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)]
|
||||||
[check_hostname: Pleroma.HTTP.AdapterHelper.format_host(host)]}
|
|
||||||
]
|
]
|
||||||
|
|
||||||
tls_opts =
|
tls_opts =
|
||||||
|
|
|
@ -39,36 +39,8 @@ defp add_scheme_opts(opts, %{scheme: "http"}), do: opts
|
||||||
defp add_scheme_opts(opts, %{scheme: "https"}) do
|
defp add_scheme_opts(opts, %{scheme: "https"}) do
|
||||||
opts
|
opts
|
||||||
|> Keyword.put(:certificates_verification, true)
|
|> Keyword.put(:certificates_verification, true)
|
||||||
|> Keyword.put(:tls_opts,
|
|
||||||
log_level: :warning,
|
|
||||||
customize_hostname_check: [match_fun: &ssl_match_fun/2]
|
|
||||||
)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
# ssl_match_fun is adapted from [Mint](https://github.com/elixir-mint/mint)
|
|
||||||
# Copyright 2018 Eric Meadows-Jönsson and Andrea Leopardi
|
|
||||||
|
|
||||||
# Wildcard domain handling for DNS ID entries in the subjectAltName X.509
|
|
||||||
# extension. Note that this is a subset of the wildcard patterns implemented
|
|
||||||
# by OTP when matching against the subject CN attribute, but this is the only
|
|
||||||
# wildcard usage defined by the CA/Browser Forum's Baseline Requirements, and
|
|
||||||
# therefore the only pattern used in commercially issued certificates.
|
|
||||||
defp ssl_match_fun({:dns_id, reference}, {:dNSName, [?*, ?. | presented]}) do
|
|
||||||
case domain_without_host(reference) do
|
|
||||||
'' ->
|
|
||||||
:default
|
|
||||||
|
|
||||||
domain ->
|
|
||||||
:string.casefold(domain) == :string.casefold(presented)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
defp ssl_match_fun(_reference, _presented), do: :default
|
|
||||||
|
|
||||||
defp domain_without_host([]), do: []
|
|
||||||
defp domain_without_host([?. | domain]), do: domain
|
|
||||||
defp domain_without_host([_ | more]), do: domain_without_host(more)
|
|
||||||
|
|
||||||
@spec get_conn(URI.t(), keyword()) :: {:ok, keyword()} | {:error, atom()}
|
@spec get_conn(URI.t(), keyword()) :: {:ok, keyword()} | {:error, atom()}
|
||||||
def get_conn(uri, opts) do
|
def get_conn(uri, opts) do
|
||||||
case ConnectionPool.get_conn(uri, opts) do
|
case ConnectionPool.get_conn(uri, opts) do
|
||||||
|
|
Loading…
Reference in a new issue