From 37d66e90fbf2cca2e6ff5fac022e0b8bb8af44a6 Mon Sep 17 00:00:00 2001
From: zmstone <zmstone@gmail.com>
Date: Thu, 2 May 2024 14:34:57 +0200
Subject: [PATCH] fix(ssl-clients): allow wildcard certificates by default

---
 apps/emqx/src/emqx_tls_lib.erl        |  8 +++++++-
 apps/emqx/test/emqx_tls_lib_tests.erl | 13 ++++++++++---
 changes/ce/fix-12962.en.md            |  4 ++++
 3 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 changes/ce/fix-12962.en.md

diff --git a/apps/emqx/src/emqx_tls_lib.erl b/apps/emqx/src/emqx_tls_lib.erl
index e742b31ba..c524381ad 100644
--- a/apps/emqx/src/emqx_tls_lib.erl
+++ b/apps/emqx/src/emqx_tls_lib.erl
@@ -542,13 +542,19 @@ to_client_opts(Type, Opts) ->
                     {depth, Get(depth)},
                     {password, ensure_str(Get(password))},
                     {secure_renegotiate, Get(secure_renegotiate)}
-                ],
+                ] ++ hostname_check(Verify),
                 Versions
             );
         false ->
             []
     end.
 
+hostname_check(verify_none) ->
+    [];
+hostname_check(verify_peer) ->
+    %% allow wildcard certificates
+    [{customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}].
+
 resolve_cert_path_for_read_strict(Path) ->
     case resolve_cert_path_for_read(Path) of
         undefined ->
diff --git a/apps/emqx/test/emqx_tls_lib_tests.erl b/apps/emqx/test/emqx_tls_lib_tests.erl
index 53eccfb25..a3ebb09c9 100644
--- a/apps/emqx/test/emqx_tls_lib_tests.erl
+++ b/apps/emqx/test/emqx_tls_lib_tests.erl
@@ -240,7 +240,7 @@ to_client_opts_test() ->
     Versions13Only = ['tlsv1.3'],
     Options = #{
         enable => true,
-        verify => "Verify",
+        verify => verify_none,
         server_name_indication => "SNI",
         ciphers => "Ciphers",
         depth => "depth",
@@ -249,9 +249,16 @@ to_client_opts_test() ->
         secure_renegotiate => "secure_renegotiate",
         reuse_sessions => "reuse_sessions"
     },
-    Expected1 = lists:usort(maps:keys(Options) -- [enable]),
+    Expected0 = lists:usort(maps:keys(Options) -- [enable]),
+    Expected1 = lists:sort(Expected0 ++ [customize_hostname_check]),
     ?assertEqual(
-        Expected1, lists:usort(proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options)))
+        Expected0, lists:usort(proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options)))
+    ),
+    ?assertEqual(
+        Expected1,
+        lists:usort(
+            proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options#{verify => verify_peer}))
+        )
     ),
     Expected2 =
         lists:usort(
diff --git a/changes/ce/fix-12962.en.md b/changes/ce/fix-12962.en.md
new file mode 100644
index 000000000..7319709e4
--- /dev/null
+++ b/changes/ce/fix-12962.en.md
@@ -0,0 +1,4 @@
+TLS clients can now verify server hostname against wildcard certificate.
+
+For example, if a certificate is issued for host `*.example.com`,
+TLS clients is able to verify server hostnames like `srv1.example.com`.