[ssl] Introduced option "connection.ssl.gemini_cert_verify"

gemini sites often have self-signed certificates. This option allow to enable or disable verification of certificates independently from https protocol.
2024-12-04 14:46:47 -05:00 · 2022-10-13 11:57:24 +02:00 · 2022-10-13 11:57:24 +02:00 · 40884da51f
commit 40884da51f
parent c05e1567e1
2 changed files with 29 additions and 6 deletions
--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
@ -479,11 +479,24 @@ ssl_connect(struct socket *socket)
 	SSL_set_fd((SSL *)socket->ssl, ssl_sock_fd);
 #endif

-	if (socket->verify && get_opt_bool("connection.ssl.cert_verify", NULL))
-		SSL_set_verify((SSL *)socket->ssl, SSL_VERIFY_PEER
+	if (socket->verify) {
+		if (conn->proxied_uri->protocol == PROTOCOL_HTTPS) {
+			if (get_opt_bool("connection.ssl.cert_verify", NULL)) {
+				SSL_set_verify((SSL *)socket->ssl, SSL_VERIFY_PEER
 					  | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
-			       verify_callback);
-
+					  verify_callback);
+			}
+		}
+#ifdef CONFIG_GEMINI
+		else if (conn->proxied_uri->protocol == PROTOCOL_GEMINI) {
+			if (get_opt_bool("connection.ssl.gemini_cert_verify", NULL)) {
+				SSL_set_verify((SSL *)socket->ssl, SSL_VERIFY_PEER
+					  | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+					  verify_callback);
+			}
+		}
+	}
+#endif
 	if (get_opt_bool("connection.ssl.client_cert.enable", NULL)) {
 		char *client_cert;

--- a/src/network/ssl/ssl.c
+++ b/src/network/ssl/ssl.c
@ -177,7 +177,12 @@ static union option_info openssl_options[] = {
 		"cert_verify", OPT_ZERO, 1,
 		N_("Verify the peer's SSL certificate. Note that this "
 		"needs extensive configuration of OpenSSL by the user.")),
-
+#ifdef CONFIG_GEMINI
+	INIT_OPT_BOOL("connection.ssl", N_("Verify certificates for gemini protocol"),
+		"gemini_cert_verify", OPT_ZERO, 1,
+		N_("Verify the peer's SSL certificate for gemini protocol. Note that this "
+		"needs extensive configuration of OpenSSL by the user.")),
+#endif
 	INIT_OPT_BOOL("connection.ssl", N_("Use HTTPS by default"),
 		"https_by_default", OPT_ZERO, 0,
 		N_("Use HTTPS when a URL scheme is not provided.")),
@ -312,7 +317,12 @@ static union option_info gnutls_options[] = {
 		"cert_verify", OPT_ZERO, 0,
 		N_("Verify the peer's SSL certificate.  If you enable "
 		"this, set also \"Trusted CA file\".")),
-
+#ifdef CONFIG_GEMINI
+	INIT_OPT_BOOL("connection.ssl", N_("Verify certificates for gemini protocol"),
+		"gemini_cert_verify", OPT_ZERO, 1,
+		N_("Verify the peer's SSL certificate for gemini protocol.  If you enable "
+		"this, set also \"Trusted CA file\".")),
+#endif
 	INIT_OPT_BOOL("connection.ssl", N_("Use HTTPS by default"),
 		"https_by_default", OPT_ZERO, 0,
 		N_("Use HTTPS when a URL scheme is not provided.")),