Certificates with wildcards are not handled correctly

[jbevemyr]

The customize_hostname_check needs to be set to a fun that performs https style hostname checks. Different protocols using tls wants different handling of hostname matching in certificates, ie https and ldap differ in how wildcards should be handled.

By default wildcards are not handled correctly for https, ie connecting to https://aus.auth0.com does not work when

tls_opts => [{verify,verify_peer}, {cacertfile, "/etc/ssl/certs/ca-certificates.crt"}]

it also needs {customize_hostname_check, [{match_fun, CustomFun}]} where CustomFun = public_key:pkix_verify_hostname_match_fun(https)

[mfeckie]

Did you ever find a solution to this? I'm having a similar problem

[jbevemyr]

Yes, the fix has not been incorporated but you can use my fork if you like or pester the maintainer to include the fix :-). The diff is very small. https://github.com/jbevemyr/gun There are two commits in my fork that solves the problem.

https://github.com/jbevemyr/gun/commit/fdd196c6ed0a1c5d5cd80d7ee2495c23a2114b55 https://github.com/jbevemyr/gun/commit/6d0ee4feca139c1b8d30f4873f7d9b5606f2f58f

[essen]

You do not need to modify Gun to do this, you can just provide the transport options when you open the connection.

Edit: I will go over the PRs once I am done with my current work, shouldn't take more than a few more weeks now.

[mfeckie]

@essen That sounds great, can you give me a hint on how to do that?

[jbevemyr]

Something like this

CustomFun = public_key:pkix_verify_hostname_match_fun(https), TransOpts = [{customize_hostname_check, [{match_fun, CustomFun}]}], ConnectionOpts = #{transport => tls, tls_opts => TransOpts}, gun:open(Host, Port, ConnectionOpts)

If you are using Erlang.

[essen]

Does anything need to be done in Gun with regard to this? Can we close this?

[jbevemyr]

I think the gun should be changed to use the public_key:pkix_verify_hostname_match_fun(https) fun to check hostnames since that is the expected behaviour when using https.

[essen]

Can that be set without setting any other TLS option? Considering Gun currently does not verify certificates by default and I don't think this will change in 2.0.

[jbevemyr]

Right, that is true. Don't know if it can be set separately.

[essen]

OK. Considering the limited time I have I will leave this ticket open and see this after 2.0. I think it would be a good idea for Gun to optionally be fully configured for TLS, perhaps using the same library Hackney has, but it needs work. Let's keep this ticket open for visibility.