diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c index 46fec74f..073d7a3d 100644 --- a/src/network/ssl/socket.c +++ b/src/network/ssl/socket.c @@ -479,11 +479,24 @@ ssl_connect(struct socket *socket) SSL_set_fd((SSL *)socket->ssl, ssl_sock_fd); #endif - if (socket->verify && get_opt_bool("connection.ssl.cert_verify", NULL)) - SSL_set_verify((SSL *)socket->ssl, SSL_VERIFY_PEER + if (socket->verify) { + if (conn->proxied_uri->protocol == PROTOCOL_HTTPS) { + if (get_opt_bool("connection.ssl.cert_verify", NULL)) { + SSL_set_verify((SSL *)socket->ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, - verify_callback); - + verify_callback); + } + } +#ifdef CONFIG_GEMINI + else if (conn->proxied_uri->protocol == PROTOCOL_GEMINI) { + if (get_opt_bool("connection.ssl.gemini_cert_verify", NULL)) { + SSL_set_verify((SSL *)socket->ssl, SSL_VERIFY_PEER + | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + verify_callback); + } + } + } +#endif if (get_opt_bool("connection.ssl.client_cert.enable", NULL)) { char *client_cert; diff --git a/src/network/ssl/ssl.c b/src/network/ssl/ssl.c index b1920129..75849cc8 100644 --- a/src/network/ssl/ssl.c +++ b/src/network/ssl/ssl.c @@ -177,7 +177,12 @@ static union option_info openssl_options[] = { "cert_verify", OPT_ZERO, 1, N_("Verify the peer's SSL certificate. Note that this " "needs extensive configuration of OpenSSL by the user.")), - +#ifdef CONFIG_GEMINI + INIT_OPT_BOOL("connection.ssl", N_("Verify certificates for gemini protocol"), + "gemini_cert_verify", OPT_ZERO, 1, + N_("Verify the peer's SSL certificate for gemini protocol. Note that this " + "needs extensive configuration of OpenSSL by the user.")), +#endif INIT_OPT_BOOL("connection.ssl", N_("Use HTTPS by default"), "https_by_default", OPT_ZERO, 0, N_("Use HTTPS when a URL scheme is not provided.")), @@ -312,7 +317,12 @@ static union option_info gnutls_options[] = { "cert_verify", OPT_ZERO, 0, N_("Verify the peer's SSL certificate. If you enable " "this, set also \"Trusted CA file\".")), - +#ifdef CONFIG_GEMINI + INIT_OPT_BOOL("connection.ssl", N_("Verify certificates for gemini protocol"), + "gemini_cert_verify", OPT_ZERO, 1, + N_("Verify the peer's SSL certificate for gemini protocol. If you enable " + "this, set also \"Trusted CA file\".")), +#endif INIT_OPT_BOOL("connection.ssl", N_("Use HTTPS by default"), "https_by_default", OPT_ZERO, 0, N_("Use HTTPS when a URL scheme is not provided.")),