Certificates with wildcards are not handled correctly

Question

Certificates with wildcards are not handled correctly

jbevemyr opened this issue 4 years ago · 10 comments

The customize_hostname_check needs to be set to a fun that performs
https style hostname checks. Different protocols using tls wants
different handling of hostname matching in certificates, ie https and
ldap differ in how wildcards should be handled.

By default wildcards are not handled correctly for https, ie
connecting to https://aus.auth0.com does not work when

tls_opts => [{verify,verify_peer},
{cacertfile, "/etc/ssl/certs/ca-certificates.crt"}]

it also needs
{customize_hostname_check, [{match_fun, CustomFun}]} where
CustomFun = public_key:pkix_verify_hostname_match_fun(https)

Answer 1 · 2021-10-21T08:24:19.000Z

Did you ever find a solution to this? I'm having a similar problem

Answer 2 · 2021-10-21T09:10:24.000Z

Yes, the fix has not been incorporated but you can use my fork if you like or pester the maintainer to include the fix :-). The diff is very small. https://github.com/jbevemyr/gun
There are two commits in my fork that solves the problem.

jbevemyr@fdd196c
jbevemyr@6d0ee4f

Answer 3 · 2021-10-21T10:13:37.000Z

You do not need to modify Gun to do this, you can just provide the transport options when you open the connection.

Edit: I will go over the PRs once I am done with my current work, shouldn't take more than a few more weeks now.

Answer 4 · 2021-10-21T10:28:12.000Z

@essen That sounds great, can you give me a hint on how to do that?

Answer 5 · 2021-10-21T10:44:29.000Z

Something like this

CustomFun = public_key:pkix_verify_hostname_match_fun(https),
TransOpts = [{customize_hostname_check, [{match_fun, CustomFun}]}],
ConnectionOpts = #{transport => tls, tls_opts => TransOpts},
gun:open(Host, Port, ConnectionOpts)

If you are using Erlang.

Answer 6 · 2022-03-03T12:52:50.000Z

Does anything need to be done in Gun with regard to this? Can we close this?

Answer 7 · 2022-03-03T12:56:36.000Z

I think the gun should be changed to use the public_key:pkix_verify_hostname_match_fun(https) fun to check hostnames since that is the expected behaviour when using https.

Answer 8 · 2022-03-03T13:37:09.000Z

Can that be set without setting any other TLS option? Considering Gun currently does not verify certificates by default and I don't think this will change in 2.0.

Answer 9 · 2022-03-03T13:49:42.000Z

Right, that is true. Don't know if it can be set separately.

Answer 10 · 2022-03-03T14:22:12.000Z

OK. Considering the limited time I have I will leave this ticket open and see this after 2.0. I think it would be a good idea for Gun to optionally be fully configured for TLS, perhaps using the same library Hackney has, but it needs work. Let's keep this ticket open for visibility.