[Minor] Allow to disable ssl verification if needed

diff --git a/src/libutil/http.c b/src/libutil/http.c
index 1a8a4b95346a74c0a4de3daf1b929ece65b5d35a..47c1836d3f3961ae4281101a8390a3ab3300dcb6 100644 (file)
--- a/src/libutil/http.c
+++ b/src/libutil/http.c
@@ -2183,7 +2183,8 @@ rspamd_http_connection_write_message_common (struct rspamd_http_connection *conn
                                rspamd_ssl_connection_free (priv->ssl);
                        }
 
-                       priv->ssl = rspamd_ssl_connection_new (priv->ssl_ctx, base);
+                       priv->ssl = rspamd_ssl_connection_new (priv->ssl_ctx, base,
+                                       !(msg->flags & RSPAMD_HTTP_FLAG_SSL_NOVERIFY));
                        g_assert (priv->ssl != NULL);
 
                        if (!rspamd_ssl_connect_fd (priv->ssl, fd, host, &priv->ev,

diff --git a/src/libutil/http.h b/src/libutil/http.h
index 9f3861865e2985ca2368d816ecfe37d3d0b3830c..a28a6b3895a7104b90188d3b74de3a32bc933602 100644 (file)
--- a/src/libutil/http.h
+++ b/src/libutil/http.h
@@ -67,15 +67,18 @@ struct rspamd_storage_shmem {
  * Body has been set for a message
  */
 #define RSPAMD_HTTP_FLAG_HAS_BODY (1 << 5)
-
+/**
+ * Do not verify server's certificate
+ */
+#define RSPAMD_HTTP_FLAG_SSL_NOVERIFY (1 << 6)
 /**
  * Options for HTTP connection
  */
 enum rspamd_http_options {
-       RSPAMD_HTTP_BODY_PARTIAL = 0x1, /**< Call body handler on all body data portions */
-       RSPAMD_HTTP_CLIENT_SIMPLE = 0x2, /**< Read HTTP client reply automatically */
-       RSPAMD_HTTP_CLIENT_ENCRYPTED = 0x4, /**< Encrypt data for client */
-       RSPAMD_HTTP_CLIENT_SHARED = 0x8, /**< Store reply in shared memory */
+       RSPAMD_HTTP_BODY_PARTIAL = 0x1, /**< Call body handler on all body data portions *///!< RSPAMD_HTTP_BODY_PARTIAL
+       RSPAMD_HTTP_CLIENT_SIMPLE = 0x2, /**< Read HTTP client reply automatically */      //!< RSPAMD_HTTP_CLIENT_SIMPLE
+       RSPAMD_HTTP_CLIENT_ENCRYPTED = 0x4, /**< Encrypt data for client */                //!< RSPAMD_HTTP_CLIENT_ENCRYPTED
+       RSPAMD_HTTP_CLIENT_SHARED = 0x8, /**< Store reply in shared memory */              //!< RSPAMD_HTTP_CLIENT_SHARED
 };
 
 typedef int (*rspamd_http_body_handler_t) (struct rspamd_http_connection *conn,

diff --git a/src/libutil/ssl_util.c b/src/libutil/ssl_util.c
index 3dc34e66a890bdf970ca7b77b06df19e745c2592..a2106ff2b2115c4c1201ec7d985cdd9315c7f528 100644 (file)
--- a/src/libutil/ssl_util.c
+++ b/src/libutil/ssl_util.c
@@ -34,6 +34,7 @@ struct rspamd_ssl_connection {
                ssl_next_read,
                ssl_next_write
        } state;
+       gboolean verify_peer;
        SSL *ssl;
        gchar *hostname;
        struct event *ev;
@@ -373,7 +374,7 @@ rspamd_ssl_event_handler (gint fd, short what, gpointer ud)
                if (ret == 1) {
                        event_del (c->ev);
                        /* Verify certificate */
-                       if (rspamd_ssl_peer_verify (c)) {
+                       if ((!c->verify_peer) || rspamd_ssl_peer_verify (c)) {
                                c->state = ssl_conn_connected;
                                c->handler (fd, EV_WRITE, c->handler_data);
                        }
@@ -435,7 +436,8 @@ rspamd_ssl_event_handler (gint fd, short what, gpointer ud)
 }
 
 struct rspamd_ssl_connection *
-rspamd_ssl_connection_new (gpointer ssl_ctx, struct event_base *ev_base)
+rspamd_ssl_connection_new (gpointer ssl_ctx, struct event_base *ev_base,
+               gboolean verify_peer)
 {
        struct rspamd_ssl_connection *c;
 
@@ -443,6 +445,7 @@ rspamd_ssl_connection_new (gpointer ssl_ctx, struct event_base *ev_base)
        c = g_slice_alloc0 (sizeof (*c));
        c->ssl = SSL_new (ssl_ctx);
        c->ev_base = ev_base;
+       c->verify_peer = verify_peer;
 
        return c;
 }

diff --git a/src/libutil/ssl_util.h b/src/libutil/ssl_util.h
index 64e6a413e532d8c1e59043c83d358765c4b9ef5c..73a940e00e0da866f44b833387f097a31a7cdb10 100644 (file)
--- a/src/libutil/ssl_util.h
+++ b/src/libutil/ssl_util.h
@@ -30,7 +30,7 @@ typedef void (*rspamd_ssl_error_handler_t)(gpointer d, GError *err);
  * @return opaque connection data
  */
 struct rspamd_ssl_connection * rspamd_ssl_connection_new (gpointer ssl_ctx,
-               struct event_base *ev_base);
+               struct event_base *ev_base, gboolean verify_peer);
 
 /**
  * Connects SSL session using the specified (connected) FD

diff --git a/src/lua/lua_http.c b/src/lua/lua_http.c
index 2213d8aae810fe4ff3436edb5cc03f66ca0d748a..4952f3404e1bf6772aadfdea9274e9b26d17bfd0 100644 (file)
--- a/src/lua/lua_http.c
+++ b/src/lua/lua_http.c
@@ -56,6 +56,7 @@ static const struct luaL_reg httplib_m[] = {
 };
 
 #define RSPAMD_LUA_HTTP_FLAG_TEXT (1 << 0)
+#define RSPAMD_LUA_HTTP_FLAG_NOVERIFY (1 << 0)
 
 struct lua_http_cbdata {
        lua_State *L;
@@ -260,6 +261,10 @@ lua_http_make_connection (struct lua_http_cbdata *cbd)
                        rspamd_http_message_set_peer_key (cbd->msg, cbd->peer_pk);
                }
 
+               if (cbd->flags & RSPAMD_LUA_HTTP_FLAG_NOVERIFY) {
+                       cbd->msg->flags |= RSPAMD_HTTP_FLAG_SSL_NOVERIFY;
+               }
+
                rspamd_http_connection_write_message (cbd->conn, cbd->msg,
                                cbd->host, cbd->mime_type, cbd, fd,
                                &cbd->tv, cbd->ev_base);
@@ -548,6 +553,15 @@ lua_http_request (lua_State *L)
                }
 
                lua_pop (L, 1);
+
+               lua_pushstring (L, "no_ssl_verify");
+               lua_gettable (L, 1);
+
+               if (!!lua_toboolean (L, -1)) {
+                       flags |= RSPAMD_LUA_HTTP_FLAG_NOVERIFY;
+               }
+
+               lua_pop (L, 1);
        }
        else {
                msg_err ("http request has bad params");