[Feature] Disable all SSL checks if ssl_no_verify flag is set

author: Vsevolod Stakhov <vsevolod@highsecure.ru> 2018-07-19 13:03:11 +0100
committer: Vsevolod Stakhov <vsevolod@highsecure.ru> 2018-07-19 13:03:11 +0100
commit: ac8bf6185abbc1f1fd9a4a9b6a2b9258cb7ac596 (patch)
tree: 96e3d0df5aacf1eb19e6c5b8b5d78f09ad36cd7a
parent: a2496b33224e3404fe93475340216d0843b92030 (diff)
download: rspamd-ac8bf6185abbc1f1fd9a4a9b6a2b9258cb7ac596.tar.gz
rspamd-ac8bf6185abbc1f1fd9a4a9b6a2b9258cb7ac596.zip
3 files changed, 7 insertions, 1 deletions
diff --git a/src/libutil/util.c b/src/libutil/util.c
index 4616bedc0..93f449791 100644
--- a/src/libutil/util.c
+++ b/src/libutil/util.c
@@ -2094,6 +2094,9 @@ rspamd_init_libs (void)
 #endif
 
 	SSL_CTX_set_options (ctx->ssl_ctx, ssl_options);
+	ctx->ssl_ctx_noverify = SSL_CTX_new (SSLv23_method ());
+	SSL_CTX_set_verify (ctx->ssl_ctx_noverify, SSL_VERIFY_NONE, NULL);
+	SSL_CTX_set_options (ctx->ssl_ctx_noverify, ssl_options);
 #endif
 	rspamd_random_seed_fast ();
 
@@ -2308,6 +2311,7 @@ rspamd_deinit_libs (struct rspamd_external_libs_ctx *ctx)
 		EVP_cleanup ();
 		ERR_free_strings ();
 		SSL_CTX_free (ctx->ssl_ctx);
+		SSL_CTX_free (ctx->ssl_ctx_noverify);
 #endif
 		rspamd_inet_library_destroy ();
 		rspamd_free_zstd_dictionary (ctx->in_dict);
diff --git a/src/lua/lua_http.c b/src/lua/lua_http.c
index da4cad890..87244dd55 100644
--- a/src/lua/lua_http.c
+++ b/src/lua/lua_http.c
@@ -248,7 +248,8 @@ lua_http_make_connection (struct lua_http_cbdata *cbd)
 				RSPAMD_HTTP_CLIENT_SIMPLE,
 				RSPAMD_HTTP_CLIENT,
 				NULL,
-				cbd->cfg->libs_ctx->ssl_ctx);
+				(cbd->flags & RSPAMD_LUA_HTTP_FLAG_NOVERIFY) ?
+				cbd->cfg->libs_ctx->ssl_ctx_noverify : cbd->cfg->libs_ctx->ssl_ctx);
 	}
 	else {
 		cbd->conn = rspamd_http_connection_new (NULL,
diff --git a/src/rspamd.h b/src/rspamd.h
index 266571290..a993238a9 100644
--- a/src/rspamd.h
+++ b/src/rspamd.h
@@ -323,6 +323,7 @@ struct rspamd_external_libs_ctx {
 	struct rspamd_cryptobox_library_ctx *crypto_ctx;
 	struct ottery_config *ottery_cfg;
 	SSL_CTX *ssl_ctx;
+	SSL_CTX *ssl_ctx_noverify;
 	struct zstd_dictionary *in_dict;
 	struct zstd_dictionary *out_dict;
 	void *out_zstream;
author	Vsevolod Stakhov <vsevolod@highsecure.ru>	2018-07-19 13:03:11 +0100
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>	2018-07-19 13:03:11 +0100
commit	ac8bf6185abbc1f1fd9a4a9b6a2b9258cb7ac596 (patch)
tree	96e3d0df5aacf1eb19e6c5b8b5d78f09ad36cd7a
parent	a2496b33224e3404fe93475340216d0843b92030 (diff)
download	rspamd-ac8bf6185abbc1f1fd9a4a9b6a2b9258cb7ac596.tar.gz rspamd-ac8bf6185abbc1f1fd9a4a9b6a2b9258cb7ac596.zip