This is an automated email from the ASF dual-hosted git repository. rnewson pushed a commit to branch wildcard_verification in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 9a5150f357ec36b398e5a1028d38f4e9192a198c Author: Robert Newson <[email protected]> AuthorDate: Wed Sep 13 14:47:22 2023 +0100 Use HTTP rules for hostname verification Particularly this adds support for wildcard TLS certificates inexcusably missing from the erlang defaults. --- src/couch_replicator/src/couch_replicator_parse.erl | 6 +++++- src/couch_replicator/src/couch_replicator_utils.erl | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/couch_replicator/src/couch_replicator_parse.erl b/src/couch_replicator/src/couch_replicator_parse.erl index 54789ca35..d5b366d0d 100644 --- a/src/couch_replicator/src/couch_replicator_parse.erl +++ b/src/couch_replicator/src/couch_replicator_parse.erl @@ -489,7 +489,11 @@ ssl_params(Url) -> -spec ssl_verify_options(true | false) -> [_]. ssl_verify_options(true) -> CAFile = cfg("ssl_trusted_certificates_file"), - [{verify, verify_peer}, {cacertfile, CAFile}]; + [ + {verify, verify_peer}, + {customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}, + {cacertfile, CAFile} + ]; ssl_verify_options(false) -> [{verify, verify_none}]. diff --git a/src/couch_replicator/src/couch_replicator_utils.erl b/src/couch_replicator/src/couch_replicator_utils.erl index d790acb0d..3e6e9c955 100644 --- a/src/couch_replicator/src/couch_replicator_utils.erl +++ b/src/couch_replicator/src/couch_replicator_utils.erl @@ -335,6 +335,9 @@ check_ssl_certificates(#rep{} = Rep, Type) -> {ssl_options, [ {cacertfile, CACertFile}, {verify, verify_peer}, + {customize_hostname_check, [ + {match_fun, public_key:pkix_verify_hostname_match_fun(https)} + ]}, {verify_fun, check_certificate_fun(Rep, Url, Type)} ]} ])
