From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Thu, 19 Jul 2018 12:03:11 +0000 (+0100)
Subject: [Feature] Disable all SSL checks if ssl_no_verify flag is set
X-Git-Tag: 1.7.9~82
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=ac8bf6185abbc1f1fd9a4a9b6a2b9258cb7ac596;p=rspamd.git

[Feature] Disable all SSL checks if ssl_no_verify flag is set
---

diff --git a/src/libutil/util.c b/src/libutil/util.c
index 4616bedc0..93f449791 100644
--- a/src/libutil/util.c
+++ b/src/libutil/util.c
@@ -2094,6 +2094,9 @@ rspamd_init_libs (void)
 #endif
 
 	SSL_CTX_set_options (ctx->ssl_ctx, ssl_options);
+	ctx->ssl_ctx_noverify = SSL_CTX_new (SSLv23_method ());
+	SSL_CTX_set_verify (ctx->ssl_ctx_noverify, SSL_VERIFY_NONE, NULL);
+	SSL_CTX_set_options (ctx->ssl_ctx_noverify, ssl_options);
 #endif
 	rspamd_random_seed_fast ();
 
@@ -2308,6 +2311,7 @@ rspamd_deinit_libs (struct rspamd_external_libs_ctx *ctx)
 		EVP_cleanup ();
 		ERR_free_strings ();
 		SSL_CTX_free (ctx->ssl_ctx);
+		SSL_CTX_free (ctx->ssl_ctx_noverify);
 #endif
 		rspamd_inet_library_destroy ();
 		rspamd_free_zstd_dictionary (ctx->in_dict);
diff --git a/src/lua/lua_http.c b/src/lua/lua_http.c
index da4cad890..87244dd55 100644
--- a/src/lua/lua_http.c
+++ b/src/lua/lua_http.c
@@ -248,7 +248,8 @@ lua_http_make_connection (struct lua_http_cbdata *cbd)
 				RSPAMD_HTTP_CLIENT_SIMPLE,
 				RSPAMD_HTTP_CLIENT,
 				NULL,
-				cbd->cfg->libs_ctx->ssl_ctx);
+				(cbd->flags & RSPAMD_LUA_HTTP_FLAG_NOVERIFY) ?
+				cbd->cfg->libs_ctx->ssl_ctx_noverify : cbd->cfg->libs_ctx->ssl_ctx);
 	}
 	else {
 		cbd->conn = rspamd_http_connection_new (NULL,
diff --git a/src/rspamd.h b/src/rspamd.h
index 266571290..a993238a9 100644
--- a/src/rspamd.h
+++ b/src/rspamd.h
@@ -323,6 +323,7 @@ struct rspamd_external_libs_ctx {
 	struct rspamd_cryptobox_library_ctx *crypto_ctx;
 	struct ottery_config *ottery_cfg;
 	SSL_CTX *ssl_ctx;
+	SSL_CTX *ssl_ctx_noverify;
 	struct zstd_dictionary *in_dict;
 	struct zstd_dictionary *out_dict;
 	void *out_zstream;