diff options
| author | Loïc Hoguin <[email protected]> | 2025-03-26 16:19:57 +0100 |
|---|---|---|
| committer | Loïc Hoguin <[email protected]> | 2025-03-26 16:22:43 +0100 |
| commit | f5dc8d3bafcf7976aa32cb9253542522f50cd51d (patch) | |
| tree | bd2a56af0dd9154cf947a9c0c888a9a739a90632 | |
| parent | 5a8d0f5454b87ef021c26228e2b06e29074e9bf9 (diff) | |
| download | gun-f5dc8d3bafcf7976aa32cb9253542522f50cd51d.tar.gz gun-f5dc8d3bafcf7976aa32cb9253542522f50cd51d.tar.bz2 gun-f5dc8d3bafcf7976aa32cb9253542522f50cd51d.zip | |
Configure customize_hostname_check by default
HTTP requires us to do wildcard certificate matching
so we now do it by default. That plus the previously
added `cacerts` configuration by default (using
`public_key:cacerts_get/0`) means that as far as
certificates are concerned, the default should now be
fully compliant. Users may want to keep configuring
some options such as `depth` though.
| -rw-r--r-- | src/gun.erl | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/src/gun.erl b/src/gun.erl index 082c210..8fb326d 100644 --- a/src/gun.erl +++ b/src/gun.erl @@ -1212,6 +1212,14 @@ ensure_tls_opts(Protocols0, TransOpts0, OriginHost) -> end end end, + %% Wildcard certificate matching. + TransOpts2 = case lists:keymember(customize_hostname_check, 1, TransOpts1) of + true -> + TransOpts1; + false -> + HTTPSMatchFun = public_key:pkix_verify_hostname_match_fun(https), + [{customize_hostname_check, [{match_fun, HTTPSMatchFun}]}|TransOpts1] + end, %% ALPN. Protocols = lists:foldl(fun (http, Acc) -> [<<"http/1.1">>|Acc]; @@ -1222,7 +1230,7 @@ ensure_tls_opts(Protocols0, TransOpts0, OriginHost) -> end, [], Protocols0), TransOpts = [ {alpn_advertised_protocols, Protocols} - |TransOpts1], + |TransOpts2], %% SNI. %% %% Normally only DNS hostnames are supported for SNI. However, the ssl |