From 40884da51f61be1b5fe3ed158f9caa1ed39b1eb0 Mon Sep 17 00:00:00 2001 From: Witold Filipczyk Date: Thu, 13 Oct 2022 11:57:24 +0200 Subject: [PATCH] [ssl] Introduced option "connection.ssl.gemini_cert_verify" gemini sites often have self-signed certificates. This option allow to enable or disable verification of certificates independently from https protocol. --- src/network/ssl/socket.c | 21 +++++++++++++++++---- src/network/ssl/ssl.c | 14 ++++++++++++-- 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c index 46fec74f..073d7a3d 100644 --- a/src/network/ssl/socket.c +++ b/src/network/ssl/socket.c @@ -479,11 +479,24 @@ ssl_connect(struct socket *socket) SSL_set_fd((SSL *)socket->ssl, ssl_sock_fd); #endif - if (socket->verify && get_opt_bool("connection.ssl.cert_verify", NULL)) - SSL_set_verify((SSL *)socket->ssl, SSL_VERIFY_PEER + if (socket->verify) { + if (conn->proxied_uri->protocol == PROTOCOL_HTTPS) { + if (get_opt_bool("connection.ssl.cert_verify", NULL)) { + SSL_set_verify((SSL *)socket->ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, - verify_callback); - + verify_callback); + } + } +#ifdef CONFIG_GEMINI + else if (conn->proxied_uri->protocol == PROTOCOL_GEMINI) { + if (get_opt_bool("connection.ssl.gemini_cert_verify", NULL)) { + SSL_set_verify((SSL *)socket->ssl, SSL_VERIFY_PEER + | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + verify_callback); + } + } + } +#endif if (get_opt_bool("connection.ssl.client_cert.enable", NULL)) { char *client_cert; diff --git a/src/network/ssl/ssl.c b/src/network/ssl/ssl.c index b1920129..75849cc8 100644 --- a/src/network/ssl/ssl.c +++ b/src/network/ssl/ssl.c @@ -177,7 +177,12 @@ static union option_info openssl_options[] = { "cert_verify", OPT_ZERO, 1, N_("Verify the peer's SSL certificate. Note that this " "needs extensive configuration of OpenSSL by the user.")), - +#ifdef CONFIG_GEMINI + INIT_OPT_BOOL("connection.ssl", N_("Verify certificates for gemini protocol"), + "gemini_cert_verify", OPT_ZERO, 1, + N_("Verify the peer's SSL certificate for gemini protocol. Note that this " + "needs extensive configuration of OpenSSL by the user.")), +#endif INIT_OPT_BOOL("connection.ssl", N_("Use HTTPS by default"), "https_by_default", OPT_ZERO, 0, N_("Use HTTPS when a URL scheme is not provided.")), @@ -312,7 +317,12 @@ static union option_info gnutls_options[] = { "cert_verify", OPT_ZERO, 0, N_("Verify the peer's SSL certificate. If you enable " "this, set also \"Trusted CA file\".")), - +#ifdef CONFIG_GEMINI + INIT_OPT_BOOL("connection.ssl", N_("Verify certificates for gemini protocol"), + "gemini_cert_verify", OPT_ZERO, 1, + N_("Verify the peer's SSL certificate for gemini protocol. If you enable " + "this, set also \"Trusted CA file\".")), +#endif INIT_OPT_BOOL("connection.ssl", N_("Use HTTPS by default"), "https_by_default", OPT_ZERO, 0, N_("Use HTTPS when a URL scheme is not provided.")),