From ad2b4b004c1982e4ba8af5d4acf9789c626da0e4 Mon Sep 17 00:00:00 2001 From: Liam Date: Fri, 21 Jun 2024 08:53:23 -0400 Subject: [PATCH] Work around verification failure for ssl roots using SHA-1 --- lib/philomena_proxy/http.ex | 41 +++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 8 deletions(-) diff --git a/lib/philomena_proxy/http.ex b/lib/philomena_proxy/http.ex index 70172f0c..5558f697 100644 --- a/lib/philomena_proxy/http.ex +++ b/lib/philomena_proxy/http.ex @@ -84,7 +84,7 @@ defmodule PhilomenaProxy.Http do body: body, headers: [{:user_agent, @user_agent} | headers], max_redirects: 1, - connect_options: connect_options(), + connect_options: connect_options(url), inet6: true, into: &stream_response_callback/2, decode_body: false @@ -93,14 +93,39 @@ defmodule PhilomenaProxy.Http do |> Req.request() end - defp connect_options do - case Application.get_env(:philomena, :proxy_host) do - nil -> - [] + defp connect_options(url) do + transport_opts = + case URI.parse(url) do + %{scheme: "https"} -> + # SSL defaults validate SHA-1 on root certificates but this is unnecessary because many + # many roots are still signed with SHA-1 and it isn't relevant for security. Relax to + # allow validation of SHA-1, even though this creates a less secure client. + # https://github.com/erlang/otp/issues/8601 + [ + transport_opts: [ + customize_hostname_check: [ + match_fun: :public_key.pkix_verify_hostname_match_fun(:https) + ], + signature_algs_cert: :ssl.signature_algs(:default, :"tlsv1.3") ++ [sha: :rsa] + ] + ] - url -> - [proxy: proxy_opts(URI.parse(url))] - end + _ -> + # Do not pass any options for non-HTTPS schemes. Finch will raise badarg if the above + # options are passed. + [] + end + + proxy_opts = + case Application.get_env(:philomena, :proxy_host) do + nil -> + [] + + url -> + [proxy: proxy_opts(URI.parse(url))] + end + + transport_opts ++ proxy_opts end defp proxy_opts(%{host: host, port: port, scheme: "https"}),