From 6d0ee4feca139c1b8d30f4873f7d9b5606f2f58f Mon Sep 17 00:00:00 2001
From: Johan Bevemyr <jb@avassa.io>
Date: Tue, 1 Jun 2021 11:32:01 +0200
Subject: [PATCH] The customize_hostname_check needs to be set to a fun that
 performs https style hostname checks. Different protocols using tls wants
 different handling of hostname matching in certificates, ie https and ldap
 differ in how wildcards should be handled.

By default wildcards are not handled correctly for https, ie
connecting to https://aus.auth0.com does not work if with
tls_opts => [{verify,verify_peer},
             {cacertfile, "/etc/ssl/certs/ca-certificates.crt"}]

It also needs
CustomFun =  public_key:pkix_verify_hostname_match_fun(https),
{customize_hostname_check, [{match_fun, CustomFun}]}
---
 rebar.config | 2 +-
 src/gun.erl  | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/rebar.config b/rebar.config
index 27c0da1e..348f53ea 100644
--- a/rebar.config
+++ b/rebar.config
@@ -1,4 +1,4 @@
 {deps, [
-{cowlib,".*",{git,"https://github.com/ninenines/cowlib","2.10.1"}}
+{cowlib,".*",{git,"https://github.com/ninenines/cowlib","master"}}
 ]}.
 {erl_opts, [debug_info,warn_export_vars,warn_shadow_vars,warn_obsolete_guard]}.
diff --git a/src/gun.erl b/src/gun.erl
index 89c18eab..20fe0ba2 100644
--- a/src/gun.erl
+++ b/src/gun.erl
@@ -1094,7 +1094,9 @@ ensure_alpn_sni(Protocols0, TransOpts0, OriginHost) ->
 		({http2, _}, Acc) -> [<<"h2">>|Acc];
 		(_, Acc) -> Acc
 	end, [], Protocols0),
+	CustomFun = public_key:pkix_verify_hostname_match_fun(https),
 	TransOpts = [
+		{customize_hostname_check, [{match_fun, CustomFun}]},
 		{alpn_advertised_protocols, Protocols},
 		{client_preferred_next_protocols, {client, Protocols, <<"http/1.1">>}}
 	|TransOpts0],