Add match_fun clause to deal with IP addresses in TLS handshake (#418)

elixir-mint · Jan 12, 2024 · 321c830 · 321c830
1 parent 7bb9ee7
commit 321c830
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/lib/mint/core/transport/ssl.ex b/lib/mint/core/transport/ssl.ex
@@ -509,6 +509,20 @@ defmodule Mint.Core.Transport.SSL do
     end
   end
 
+  # Workaround for a bug that was fixed in OTP 27:
+  # Before OTP 27 when connecting to an IP address and the server offers a
+  # certificate with its IP address in the "subject alternate names" extension,
+  # the TLS handshake fails with a `{:bad_cert, :hostname_check_failed}`.
+  # This clause can be removed once we depend on OTP 27+.
+  defp match_fun({:dns_id, hostname}, {:iPAddress, ip}) do
+    with {:ok, ip_tuple} <- :inet.parse_address(hostname),
+         ^ip <- Tuple.to_list(ip_tuple) do
+      true
+    else
+      _ -> :default
+    end
+  end
+
   defp match_fun(_reference, _presented), do: :default
 
   defp domain_without_host([]), do: []

diff --git a/test/mint/core/transport/ssl_test.exs b/test/mint/core/transport/ssl_test.exs
@@ -148,6 +148,10 @@ defmodule Mint.Core.Transport.SSLTest do
       refute :mint_shims.pkix_verify_hostname(cert, ip: {1, 2, 3, 4})
       refute :mint_shims.pkix_verify_hostname(cert, ip: {10, 11, 12, 13})
     end
+
+    test "custom match fun for IP addresses as hostname", %{cert: cert} do
+      assert {:valid, _} = SSL.verify_fun(cert, :valid_peer, dns_id: ~c"10.67.16.75")
+    end
   end
 
   # Certificate chain rooted in an expired root CA, and CA store containing