The customize_hostname_check needs to be set to a fun that performs

https style hostname checks. Different protocols using tls wants different handling of hostname matching in certificates, ie https and ldap differ in how wildcards should be handled. By default wildcards are not handled correctly for https, ie connecting to https://aus.auth0.com does not work if with tls_opts => [{verify,verify_peer}, {cacertfile, "/etc/ssl/certs/ca-certificates.crt"}] It also needs CustomFun = public_key:pkix_verify_hostname_match_fun(https), {customize_hostname_check, [{match_fun, CustomFun}]}
jbevemyr · Jun 1, 2021 · 6d0ee4f · 6d0ee4f
1 parent c3ecb9b
commit 6d0ee4f
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/rebar.config b/rebar.config
@@ -1,4 +1,4 @@
 {deps, [
-{cowlib,".*",{git,"https://github.com/ninenines/cowlib","2.10.1"}}
+{cowlib,".*",{git,"https://github.com/ninenines/cowlib","master"}}
 ]}.
 {erl_opts, [debug_info,warn_export_vars,warn_shadow_vars,warn_obsolete_guard]}.
diff --git a/src/gun.erl b/src/gun.erl
@@ -1094,7 +1094,9 @@ ensure_alpn_sni(Protocols0, TransOpts0, OriginHost) ->
 		({http2, _}, Acc) -> [<<"h2">>|Acc];
 		(_, Acc) -> Acc
 	end, [], Protocols0),
+	CustomFun = public_key:pkix_verify_hostname_match_fun(https),
 	TransOpts = [
+		{customize_hostname_check, [{match_fun, CustomFun}]},
 		{alpn_advertised_protocols, Protocols},
 		{client_preferred_next_protocols, {client, Protocols, <<"http/1.1">>}}
 	|TransOpts0],