Closed jbevemyr closed 2 years ago
How do you use Gun, that you have to set SNI manually?
We use gun to talk to a server that doesn't have a hostname that matches the certificate, so instead we set the SNI. We have a cluster of nodes where each node runs a cowboy server with the same certificate. We can connect to them with different host names but still verify them with the SNI. A workaround would be to issue separate certificates for each host and have dns alt names, of course.
Same fix, just slightly differently coded.
This looks reasonable to me. Most users won't need it but the risk of accepting this PR seem low.
Sure. Could you please add a test though? Something similar to https://github.com/ninenines/gun/blob/master/test/gun_SUITE.erl#L81 except you'll want an event that occurs after ensure_alpn_sni
.
It appears that since https://github.com/erlang/otp/commit/e9b0dbb4a95 (OTP-20, Gun is 22+) the ssl
application already sets SNI if none is provided. Therefore I think the best course of action here is to simply remove this code. I will add a test to confirm that SNI is sent and that a custom SNI can be set, regardless.
OK the automatic SNI applies to directly connecting using ssl
. It does not apply to upgrading a TCP socket. For that we must specify SNI (there's a note about this in https://www.erlang.org/doc/man/ssl.html#connect-3). So the patch is still necessary.
Cherry-picked the relevant commit. Thanks!
The tests I've added can't catch the original issue, but they will be good to have for the future.
…g multiple server_name_indication entries triggers a problem in OTP 23.2.7.