Commit ce1a42bd authored by href's avatar href Committed by rinpatch

Simplify TLS opts

- `verify_fun` is not useful now
- use `customize_check_hostname` (OTP 20+ so OK)
- `partial_chain` is useless as of OTP 21.1 (wasn't there, but hackney/..
uses it)
parent ebfa5916
......@@ -28,9 +28,8 @@ defp maybe_add_tls_opts(opts, %URI{scheme: "https", host: host}) do
cacertfile: CAStore.file_path(),
depth: 20,
reuse_sessions: false,
[check_hostname: Pleroma.HTTP.AdapterHelper.format_host(host)]}
log_level: :warning,
customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)]
tls_opts =
......@@ -39,36 +39,8 @@ defp add_scheme_opts(opts, %{scheme: "http"}), do: opts
defp add_scheme_opts(opts, %{scheme: "https"}) do
|> Keyword.put(:certificates_verification, true)
|> Keyword.put(:tls_opts,
log_level: :warning,
customize_hostname_check: [match_fun: &ssl_match_fun/2]
# ssl_match_fun is adapted from [Mint](
# Copyright 2018 Eric Meadows-Jönsson and Andrea Leopardi
# Wildcard domain handling for DNS ID entries in the subjectAltName X.509
# extension. Note that this is a subset of the wildcard patterns implemented
# by OTP when matching against the subject CN attribute, but this is the only
# wildcard usage defined by the CA/Browser Forum's Baseline Requirements, and
# therefore the only pattern used in commercially issued certificates.
defp ssl_match_fun({:dns_id, reference}, {:dNSName, [?*, ?. | presented]}) do
case domain_without_host(reference) do
'' ->
domain ->
:string.casefold(domain) == :string.casefold(presented)
defp ssl_match_fun(_reference, _presented), do: :default
defp domain_without_host([]), do: []
defp domain_without_host([?. | domain]), do: domain
defp domain_without_host([_ | more]), do: domain_without_host(more)
@spec get_conn(URI.t(), keyword()) :: {:ok, keyword()} | {:error, atom()}
def get_conn(uri, opts) do
case ConnectionPool.get_conn(uri, opts) do
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment