Gun adapter helper: fix wildcard cert issues on OTP 23

See https://bugs.erlang.org/browse/ERL-1260 for more info.

The ssl match function is basically copied from mint, except
that `:string.lowercase/1` was replaced by `:string.casefold`.
It was a TODO in mint's code, so might as well do it since we don't need
to support OTP <20.

Closes #1834

diff --git a/lib/pleroma/http/adapter_helper/gun.ex b/lib/pleroma/http/adapter_helper/gun.ex
index 883f7f6f73457bc360d3f02aada0031d6079b8d7..07aaed7f6e26e63bcf6b904f8e6334afdff8b259 100644 (file)
--- a/lib/pleroma/http/adapter_helper/gun.ex
+++ b/lib/pleroma/http/adapter_helper/gun.ex
@@ -39,9 +39,36 @@ defmodule Pleroma.HTTP.AdapterHelper.Gun do
   defp add_scheme_opts(opts, %{scheme: "https"}) do
     opts
     |> Keyword.put(:certificates_verification, true)
   defp add_scheme_opts(opts, %{scheme: "https"}) do
     opts
     |> Keyword.put(:certificates_verification, true)

-    |> Keyword.put(:tls_opts, log_level: :warning)
+    |> Keyword.put(:tls_opts,
+      log_level: :warning,
+      customize_hostname_check: [match_fun: &ssl_match_fun/2]
+    )

   end
 
   end
 

+  # ssl_match_fun is adapted from [Mint](https://github.com/elixir-mint/mint)
+  # Copyright 2018 Eric Meadows-Jönsson and Andrea Leopardi
+
+  # Wildcard domain handling for DNS ID entries in the subjectAltName X.509
+  # extension. Note that this is a subset of the wildcard patterns implemented
+  # by OTP when matching against the subject CN attribute, but this is the only
+  # wildcard usage defined by the CA/Browser Forum's Baseline Requirements, and
+  # therefore the only pattern used in commercially issued certificates.
+  defp ssl_match_fun({:dns_id, reference}, {:dNSName, [?*, ?. | presented]}) do
+    case domain_without_host(reference) do
+      '' ->
+        :default
+
+      domain ->
+        :string.casefold(domain) == :string.casefold(presented)
+    end
+  end
+
+  defp ssl_match_fun(_reference, _presented), do: :default
+
+  defp domain_without_host([]), do: []
+  defp domain_without_host([?. | domain]), do: domain
+  defp domain_without_host([_ | more]), do: domain_without_host(more)
+

   @spec get_conn(URI.t(), keyword()) :: {:ok, keyword()} | {:error, atom()}
   def get_conn(uri, opts) do
     case ConnectionPool.get_conn(uri, opts) do
   @spec get_conn(URI.t(), keyword()) :: {:ok, keyword()} | {:error, atom()}
   def get_conn(uri, opts) do
     case ConnectionPool.get_conn(uri, opts) do