mirror of
https://github.com/philomena-dev/philomena.git
synced 2024-11-23 12:08:00 +01:00
Work around verification failure for ssl roots using SHA-1
This commit is contained in:
parent
abc53c7183
commit
ad2b4b004c
1 changed files with 33 additions and 8 deletions
|
@ -84,7 +84,7 @@ defmodule PhilomenaProxy.Http do
|
|||
body: body,
|
||||
headers: [{:user_agent, @user_agent} | headers],
|
||||
max_redirects: 1,
|
||||
connect_options: connect_options(),
|
||||
connect_options: connect_options(url),
|
||||
inet6: true,
|
||||
into: &stream_response_callback/2,
|
||||
decode_body: false
|
||||
|
@ -93,7 +93,30 @@ defmodule PhilomenaProxy.Http do
|
|||
|> Req.request()
|
||||
end
|
||||
|
||||
defp connect_options do
|
||||
defp connect_options(url) do
|
||||
transport_opts =
|
||||
case URI.parse(url) do
|
||||
%{scheme: "https"} ->
|
||||
# SSL defaults validate SHA-1 on root certificates but this is unnecessary because many
|
||||
# many roots are still signed with SHA-1 and it isn't relevant for security. Relax to
|
||||
# allow validation of SHA-1, even though this creates a less secure client.
|
||||
# https://github.com/erlang/otp/issues/8601
|
||||
[
|
||||
transport_opts: [
|
||||
customize_hostname_check: [
|
||||
match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
|
||||
],
|
||||
signature_algs_cert: :ssl.signature_algs(:default, :"tlsv1.3") ++ [sha: :rsa]
|
||||
]
|
||||
]
|
||||
|
||||
_ ->
|
||||
# Do not pass any options for non-HTTPS schemes. Finch will raise badarg if the above
|
||||
# options are passed.
|
||||
[]
|
||||
end
|
||||
|
||||
proxy_opts =
|
||||
case Application.get_env(:philomena, :proxy_host) do
|
||||
nil ->
|
||||
[]
|
||||
|
@ -101,6 +124,8 @@ defmodule PhilomenaProxy.Http do
|
|||
url ->
|
||||
[proxy: proxy_opts(URI.parse(url))]
|
||||
end
|
||||
|
||||
transport_opts ++ proxy_opts
|
||||
end
|
||||
|
||||
defp proxy_opts(%{host: host, port: port, scheme: "https"}),
|
||||
|
|
Loading…
Reference in a new issue