[Feature] Disable all SSL checks if ssl_no_verify flag is set

diff --git a/src/libutil/util.c b/src/libutil/util.c
index 4616bedc065a60f4eef9ac34cc526596901001a0..93f4497910d8065e432f13ca42f9133ef175aae4 100644 (file)
--- a/src/libutil/util.c
+++ b/src/libutil/util.c
@@ -2094,6 +2094,9 @@ rspamd_init_libs (void)
 #endif
 
        SSL_CTX_set_options (ctx->ssl_ctx, ssl_options);
+       ctx->ssl_ctx_noverify = SSL_CTX_new (SSLv23_method ());
+       SSL_CTX_set_verify (ctx->ssl_ctx_noverify, SSL_VERIFY_NONE, NULL);
+       SSL_CTX_set_options (ctx->ssl_ctx_noverify, ssl_options);
 #endif
        rspamd_random_seed_fast ();
 
@@ -2308,6 +2311,7 @@ rspamd_deinit_libs (struct rspamd_external_libs_ctx *ctx)
                EVP_cleanup ();
                ERR_free_strings ();
                SSL_CTX_free (ctx->ssl_ctx);
+               SSL_CTX_free (ctx->ssl_ctx_noverify);
 #endif
                rspamd_inet_library_destroy ();
                rspamd_free_zstd_dictionary (ctx->in_dict);

diff --git a/src/lua/lua_http.c b/src/lua/lua_http.c
index da4cad890ecd8da50e24ad11531316b5afe9762f..87244dd5524eb4480859f9acf73c1dfcac859074 100644 (file)
--- a/src/lua/lua_http.c
+++ b/src/lua/lua_http.c
@@ -248,7 +248,8 @@ lua_http_make_connection (struct lua_http_cbdata *cbd)
                                RSPAMD_HTTP_CLIENT_SIMPLE,
                                RSPAMD_HTTP_CLIENT,
                                NULL,
-                               cbd->cfg->libs_ctx->ssl_ctx);
+                               (cbd->flags & RSPAMD_LUA_HTTP_FLAG_NOVERIFY) ?
+                               cbd->cfg->libs_ctx->ssl_ctx_noverify : cbd->cfg->libs_ctx->ssl_ctx);
        }
        else {
                cbd->conn = rspamd_http_connection_new (NULL,

diff --git a/src/rspamd.h b/src/rspamd.h
index 26657129006b3c7e2412cd8aa8d50661cc0552ca..a993238a9a9c1a7712ec193459ff841804c9557d 100644 (file)
--- a/src/rspamd.h
+++ b/src/rspamd.h
@@ -323,6 +323,7 @@ struct rspamd_external_libs_ctx {
        struct rspamd_cryptobox_library_ctx *crypto_ctx;
        struct ottery_config *ottery_cfg;
        SSL_CTX *ssl_ctx;
+       SSL_CTX *ssl_ctx_noverify;
        struct zstd_dictionary *in_dict;
        struct zstd_dictionary *out_dict;
        void *out_zstream;