commit eaa703ef062fbf5f215ceeaedac9aa27c037cd81
author William Lallemand <wlallemand@haproxy.org> Fri Apr 22 17:52:33 2022 +0200
committer William Lallemand <wlallemand@haproxy.org> Fri Apr 22 18:05:17 2022 +0200
tree cf8ec3863d96ee19bc595db8a79ea52a974d2da3
parent c6ceba3170d98feded336cc9ef86ea1a4bb048c4

MEDIUM: httpclient/ssl: verify is configurable and disabled by default

Disable temporary the SSL verify by default in the httpclient. The
initialization of the @system-ca during the init of the httpclient is a
problem in some cases.

The verify can be reactivated with "httpclient-ssl-verify required" in
the global section.

src/http_client.c

diff --git a/src/http_client.c b/src/http_client.c
index 0614ae7..668489a 100644
--- a/src/http_client.c
+++ b/src/http_client.c
@@ -41,9 +41,11 @@
 static struct server *httpclient_srv_raw;
 #ifdef USE_OPENSSL
 static struct server *httpclient_srv_ssl;
+static int httpclient_ssl_verify = SSL_SOCK_VERIFY_NONE;
 #endif
 static struct applet httpclient_applet;
 
+
 /* --- This part of the file implement an HTTP client over the CLI ---
  * The functions will be  starting by "hc_cli" for "httpclient cli"
  */
@@ -1043,10 +1045,13 @@
 	if (!httpclient_srv_ssl->id)
 		goto err;
 
-	httpclient_srv_ssl->ssl_ctx.verify = SSL_SOCK_VERIFY_REQUIRED;
-	httpclient_srv_ssl->ssl_ctx.ca_file = strdup("@system-ca");
-	if (!ssl_store_load_locations_file(httpclient_srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT))
-		goto err;
+	httpclient_srv_ssl->ssl_ctx.verify = httpclient_ssl_verify;
+
+	if (httpclient_ssl_verify == SSL_SOCK_VERIFY_REQUIRED) {
+		httpclient_srv_ssl->ssl_ctx.ca_file = strdup("@system-ca");
+		if (!ssl_store_load_locations_file(httpclient_srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT))
+			goto err;
+	}
 
 #endif
 
@@ -1139,3 +1144,31 @@
 
 REGISTER_PRE_CHECK(httpclient_precheck);
 REGISTER_POST_CHECK(httpclient_postcheck);
+
+#ifdef USE_OPENSSL
+static int httpclient_parse_global_verify(char **args, int section_type, struct proxy *curpx,
+                                        const struct proxy *defpx, const char *file, int line,
+                                        char **err)
+{
+	if (too_many_args(1, args, err, NULL))
+		return -1;
+
+	if (strcmp(args[1],"none") == 0)
+		httpclient_ssl_verify = SSL_SERVER_VERIFY_NONE;
+	else if (strcmp(args[1],"required") == 0)
+		httpclient_ssl_verify = SSL_SERVER_VERIFY_REQUIRED;
+	else {
+		ha_alert("parsing [%s:%d] : '%s' expects 'none' or 'required' as argument.\n", file, line, args[0]);
+		return -1;
+	}
+
+	return 0;
+}
+
+static struct cfg_kw_list cfg_kws = {ILH, {
+	{ CFG_GLOBAL, "httpclient-ssl-verify", httpclient_parse_global_verify },
+	{ 0, NULL, NULL },
+}};
+
+INITCALL1(STG_REGISTER, cfg_register_keywords, &cfg_kws);
+#endif