From 2ff1a989a4c3e2b464850c1799f3727a563579f7 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travpc@gmail.com>
Date: Mon, 17 Jun 2019 18:52:45 -0600
Subject: [PATCH] Fix certificate validation again

Fixes https://github.com/turt2live/matrix-media-repo/issues/168
---
 .../matrix-media-repo/matrix/federation.go    | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/github.com/turt2live/matrix-media-repo/matrix/federation.go b/src/github.com/turt2live/matrix-media-repo/matrix/federation.go
index 882cf52a..35c1214d 100644
--- a/src/github.com/turt2live/matrix-media-repo/matrix/federation.go
+++ b/src/github.com/turt2live/matrix-media-repo/matrix/federation.go
@@ -1,6 +1,7 @@
 package matrix
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -165,9 +166,25 @@ func FederatedGet(url string, realHost string) (*http.Response, error) {
 	req.Header.Set("Host", realHost)
 	req.Header.Set("User-Agent", "matrix-media-repo")
 	req.Host = realHost
-	req.URL.Host = realHost // For SNI/TLS to work
 
-	resp, err := http.DefaultClient.Do(req)
+	logrus.Info(req.URL.String())
+
+	// This is how we verify the certificate is valid for the host we expect.
+	// Previously using `req.URL.Host` we'd end up changing which server we were
+	// connecting to (ie: matrix.org instead of matrix.org.cdn.cloudflare.net),
+	// which obviously doesn't help us. We needed to do that though because the
+	// HTTP client doesn't verify against the req.Host certificate, but it does
+	// handle it off the req.URL.Host. So, we need to tell it which certificate
+	// to verify.
+	client := http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				ServerName: realHost,
+			},
+		},
+	}
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}
-- 
GitLab