whatyouhide
Accept wildcard certificates by default
As documented, some Redis servers, notably Amazon ElastiCache, use wildcard certificates that require additional socket options for successful verification (requires OTP 21.0 or later):
Redix.start_link(
host: "example.com", port: 9999, ssl: true,
socket_opts: [
customize_hostname_check: [
match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
]
]
)
Do you think it's better to customize the hostname check function by default to streamline the SSL experience like what Postgrex did in https://github.com/elixir-ecto/postgrex/commit/de665e40e34fc1a0e88b14c09ed0912ec477cf68?
I think the default that Postgrex uses is good, as long as we are very careful about merging defaults with user-provided options in a way that doesn't lead to security risks—inadvertently having users change unrelated SSL options and breaking the defaults and stuff like that.
I think the default that Postgrex uses is good, as long as we are very careful about merging defaults with user-provided options in a way that doesn't lead to security risks—inadvertently having users change unrelated SSL options and breaking the defaults and stuff like that.
Yes, map merging behavior is the part I'm worrying about. I'm not fluent in Elixir yet, so having someone else implement this would be better.
TLDR: I'd rather not implement this myself, unless no one else is willing to tackle it.
@l2dy I think:
- Mirroring what Postgrex does for merging is a good idea for the starting approach
- There might be some good stuff in https://github.com/elixir-mint/mint/blob/main/lib/mint/core/transport/ssl.ex
I wont have time to work on this anytime soon, so I'd really appreciate the help 😉