From f9c5bcc4f5cf1bc5eef3b3578f70f181799979ff Mon Sep 17 00:00:00 2001
From: Joseph Hirschfeld <joe@ibj.io>
Date: Wed, 12 Dec 2018 14:19:50 -0500
Subject: [PATCH] Use standard hostname for certs

---
 crypto.go    | 18 ++++++++++++++++--
 transport.go |  3 ++-
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/crypto.go b/crypto.go
index 1a6812a..8e70127 100644
--- a/crypto.go
+++ b/crypto.go
@@ -14,6 +14,8 @@ import (
 	peer "github.com/libp2p/go-libp2p-peer"
 )
 
+const PEER_HOSTNAME = "tls.libp2p"
+
 // Identity is used to secure connections
 type Identity struct {
 	*tls.Config
@@ -30,7 +32,12 @@ func NewIdentity(privKey ic.PrivKey) (*Identity, error) {
 
 // ConfigForPeer creates a new tls.Config that verifies the peers certificate chain.
 // It should be used to create a new tls.Config before dialing.
-func (i *Identity) ConfigForPeer(remote peer.ID) *tls.Config {
+// It also returns a pointer to the remote public key which points to the valid remote public
+// key after the remote connects
+func (i *Identity) ConfigForPeer(remote peer.ID) (*tls.Config, *ic.PubKey) {
+
+	var remotePubKey *ic.PubKey = nil
+
 	// We need to check the peer ID in the VerifyPeerCertificate callback.
 	// The tls.Config it is also used for listening, and we might also have concurrent dials.
 	// Clone it so we can check for the specific peer ID we're dialing here.
@@ -53,9 +60,15 @@ func (i *Identity) ConfigForPeer(remote peer.ID) *tls.Config {
 		if !remote.MatchesPublicKey(pubKey) {
 			return errors.New("peer IDs don't match")
 		}
+
+		remotePubKey = &pubKey
+
 		return nil
 	}
-	return conf
+
+	conf.ServerName = PEER_HOSTNAME
+
+	return conf, remotePubKey
 }
 
 // KeyFromChain takes a chain of x509.Certificates and returns the peer's public key.
@@ -102,6 +115,7 @@ func keyToCertificate(sk ic.PrivKey) (interface{}, *x509.Certificate, error) {
 		return nil, nil, err
 	}
 	tmpl := &x509.Certificate{
+		DNSNames:     []string{PEER_HOSTNAME},
 		SerialNumber: sn,
 		NotBefore:    time.Now().Add(-24 * time.Hour),
 		NotAfter:     time.Now().Add(certValidityPeriod),
diff --git a/transport.go b/transport.go
index 5a75296..6ab67d3 100644
--- a/transport.go
+++ b/transport.go
@@ -48,7 +48,8 @@ func (t *Transport) SecureInbound(ctx context.Context, insecure net.Conn) (cs.Co
 
 // SecureOutbound runs the TLS handshake as a client.
 func (t *Transport) SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (cs.Conn, error) {
-	cl := tls.Client(insecure, t.identity.ConfigForPeer(p))
+	config, _ := t.identity.ConfigForPeer(p)
+	cl := tls.Client(insecure, config)
 	return t.handshake(ctx, insecure, cl)
 }