Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificates with wildcards are not handled correctly #270

Open
jbevemyr opened this issue Jun 1, 2021 · 10 comments
Open

Certificates with wildcards are not handled correctly #270

jbevemyr opened this issue Jun 1, 2021 · 10 comments

Comments

@jbevemyr
Copy link
Contributor

jbevemyr commented Jun 1, 2021

The customize_hostname_check needs to be set to a fun that performs
https style hostname checks. Different protocols using tls wants
different handling of hostname matching in certificates, ie https and
ldap differ in how wildcards should be handled.

By default wildcards are not handled correctly for https, ie
connecting to https://aus.auth0.com does not work when

tls_opts => [{verify,verify_peer},
{cacertfile, "/etc/ssl/certs/ca-certificates.crt"}]

it also needs
{customize_hostname_check, [{match_fun, CustomFun}]} where
CustomFun = public_key:pkix_verify_hostname_match_fun(https)
@mfeckie
Copy link

mfeckie commented Oct 21, 2021

Did you ever find a solution to this? I'm having a similar problem

@jbevemyr
Copy link
Contributor Author

Yes, the fix has not been incorporated but you can use my fork if you like or pester the maintainer to include the fix :-). The diff is very small. https://github.com/jbevemyr/gun
There are two commits in my fork that solves the problem.

jbevemyr@fdd196c
jbevemyr@6d0ee4f

@essen
Copy link
Member

essen commented Oct 21, 2021
edited
Loading

You do not need to modify Gun to do this, you can just provide the transport options when you open the connection.

Edit: I will go over the PRs once I am done with my current work, shouldn't take more than a few more weeks now.

@mfeckie
Copy link

mfeckie commented Oct 21, 2021

@essen That sounds great, can you give me a hint on how to do that?

@jbevemyr
Copy link
Contributor Author

Something like this

CustomFun = public_key:pkix_verify_hostname_match_fun(https),
TransOpts = [{customize_hostname_check, [{match_fun, CustomFun}]}],
ConnectionOpts = #{transport => tls, tls_opts => TransOpts},
gun:open(Host, Port, ConnectionOpts)

If you are using Erlang.

@essen
Copy link
Member

essen commented Mar 3, 2022

Does anything need to be done in Gun with regard to this? Can we close this?

@jbevemyr
Copy link
Contributor Author

jbevemyr commented Mar 3, 2022

I think the gun should be changed to use the public_key:pkix_verify_hostname_match_fun(https) fun to check hostnames since that is the expected behaviour when using https.

@essen
Copy link
Member

essen commented Mar 3, 2022
edited
Loading

Can that be set without setting any other TLS option? Considering Gun currently does not verify certificates by default and I don't think this will change in 2.0.

@jbevemyr
Copy link
Contributor Author

jbevemyr commented Mar 3, 2022

Right, that is true. Don't know if it can be set separately.

@essen
Copy link
Member

essen commented Mar 3, 2022

OK. Considering the limited time I have I will leave this ticket open and see this after 2.0. I think it would be a good idea for Gun to optionally be fully configured for TLS, perhaps using the same library Hackney has, but it needs work. Let's keep this ticket open for visibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@essen @mfeckie @jbevemyr