Closed
Description
Description
When calling :hackney.request/4 with TLS options including custom hostname verification as described in the trace below, we're receiving handshake failures. This is a regression as we've confirmed this works correctly in Hackney 1.21.0.
Steps to reproduce
- Install Hackney 1.22.0
- Make a HTTPS request with the following options:
:hackney.request(:get, "https://d135dj0rjqvssy.cloudfront.net/0.36.0/appsignal-aarch64-darwin-all-static.tar.gz", [], "", [
{:ssl_options, [
{:verify, :verify_peer},
{:cacertfile, "/path/to/cacert.pem"},
{:versions, [:'tlsv1.3', :'tlsv1.2']},
{:customize_hostname_check, [{:match_fun, :public_key.pkix_verify_hostname_match_fun(:https)}]}
]}
])Trace
[hackney trace 80 <0.283.0> 2025:02:24 13:39:45 4543] request
Content: [{module,hackney},
{line,313},
{method,get},
{url,
{hackney_url,hackney_ssl,https,
<<"d135dj0rjqvssy.cloudfront.net">>,
<<"/0.36.0/appsignal-aarch64-darwin-all-static.tar.gz">>,
<<"/0.36.0/appsignal-aarch64-darwin-all-static.tar.gz">>,
<<>>,<<>>,"d135dj0rjqvssy.cloudfront.net",443,<<>>,<<>>}},
{headers,[]},
{body,<<>>},
{options,
[{ssl_options,
[{verify,verify_peer},
{cacertfile,
<<"/Users/luismiramirez/code/handshake/_build/dev/lib/appsignal/priv/cacert.pem">>},
{versions,['tlsv1.3','tlsv1.2']},
{customize_hostname_check,
[{match_fun,#Fun<public_key.6.112534691>}]}]}]}]
[hackney trace 60 <0.283.0> 2025:02:24 13:39:45 4543] no proxy env setup, request without proxy
Content: [{module,hackney},{line,695}]
[hackney trace 60 <0.283.0> 2025:02:24 13:39:45 4543] connect
Content: [{module,hackney_connect},
{line,32},
{transport,hackney_ssl},
{host,"d135dj0rjqvssy.cloudfront.net"},
{port,443},
{dynamic,true}]
[hackney trace 80 <0.283.0> 2025:02:24 13:39:45 4544] no socket in the pool
Content: [{module,hackney_pool},{line,88},{pool,default}]
[hackney trace 60 <0.283.0> 2025:02:24 13:39:45 4544] happy eyeballs, try to connect using IPv6
Content: [{module,hackney_happy},
{line,32},
{hostname,"d135dj0rjqvssy.cloudfront.net"},
{port,443}]
[hackney trace 80 <0.387.0> 2025:02:24 13:39:45 4609] happy eyeball: failed to connect
Content: [{module,hackney_happy},{line,129},{error,{error,nxdomain}}]
[hackney trace 80 <0.388.0> 2025:02:24 13:39:45 4610] try to connect
Content: [{module,hackney_happy},
{line,132},
{ip,{18,154,56,68}},
{type,inet}]
[hackney trace 80 <0.388.0> 2025:02:24 13:39:45 4623] success to connect
Content: [{module,hackney_happy},
{line,135},
{ip,{18,154,56,68}},
{type,inet}]
[hackney trace 80 <0.283.0> 2025:02:24 13:39:45 4624] happy_connect ~p
Content: [{module,hackney_happy},{line,78},{ok,#Port<0.320>}]
14:39:45.655 [notice] TLS :client: In state :wait_cert_cr at ssl_handshake.erl:2186 generated CLIENT ALERT: Fatal - Handshake Failure
- {:bad_cert,
{:hostname_check_failed, {:requested, {18, 154, 56, 68}},
{:received, [dNSName: ~c"cloudfront.net", dNSName: ~c"*.cloudfront.net"]}}}
[hackney trace 80 <0.283.0> 2025:02:24 13:39:45 4656] connect error
Content: [{module,hackney_pool},
{line,108},
{pool,default},
{error,
{error,
{tls_alert,
{handshake_failure,
"TLS client: In state wait_cert_cr at ssl_handshake.erl:2186 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,\n {hostname_check_failed,\n {requested,{18,154,56,68}},\n {received,\n [{dNSName,\"cloudfront.net\"},{dNSName,\"*.cloudfront.net\"}]}}}"}}}}]
Metadata
Metadata
Assignees
Labels
No labels