From f5dd64933254960e1837ff0ef56d77c25b507696 Mon Sep 17 00:00:00 2001 From: David Rose Date: Fri, 27 Sep 2002 16:47:40 +0000 Subject: [PATCH] be more conservative when passing https requests to proxy --- panda/src/downloader/httpClient.I | 13 +++++++++++++ panda/src/downloader/httpClient.cxx | 26 ++++++++++++++++++-------- panda/src/downloader/httpClient.h | 2 ++ 3 files changed, 33 insertions(+), 8 deletions(-) diff --git a/panda/src/downloader/httpClient.I b/panda/src/downloader/httpClient.I index 0edcc818b4..fff1f5d647 100644 --- a/panda/src/downloader/httpClient.I +++ b/panda/src/downloader/httpClient.I @@ -94,4 +94,17 @@ set_verify_ssl(bool verify_ssl) { } else { SSL_CTX_set_verify(_ssl_ctx, SSL_VERIFY_NONE, NULL); } + _verify_ssl = verify_ssl; +} + +//////////////////////////////////////////////////////////////////// +// Function: HTTPClient::get_verify_ssl +// Access: Published +// Description: Returns whether the client will insist on verifying +// the identity of the servers it connects to via SSL +// (that is, https). See set_verify_ssl(). +//////////////////////////////////////////////////////////////////// +INLINE bool HTTPClient:: +get_verify_ssl() const { + return _verify_ssl; } diff --git a/panda/src/downloader/httpClient.cxx b/panda/src/downloader/httpClient.cxx index 1a70fed763..f6ac939593 100644 --- a/panda/src/downloader/httpClient.cxx +++ b/panda/src/downloader/httpClient.cxx @@ -99,7 +99,8 @@ get_document(const URLSpec &url, const string &body) { //////////////////////////////////////////////////////////////////// // Function: HTTPClient::make_ctx // Access: Private -// Description: Creates the OpenSSL context object. +// Description: Creates the OpenSSL context object. This is only +// called by the constructor. //////////////////////////////////////////////////////////////////// void HTTPClient:: make_ctx() { @@ -109,7 +110,7 @@ make_ctx() { _ssl_ctx = SSL_CTX_new(SSLv23_client_method()); // By default, insist on verifying servers. - SSL_CTX_set_verify(_ssl_ctx, SSL_VERIFY_PEER, NULL); + set_verify_ssl(true); // Load in any default certificates listed in the Configrc file. Config::ConfigTable::Symbol cert_files; @@ -351,13 +352,22 @@ get_https_proxy(const URLSpec &url, const string &body) { << "proxy would not open connection to " << url.get_authority() << ": " << doc->get_status_code() << " " << doc->get_status_string() << "\n"; + + if (downloader_cat.is_debug()) { + doc->write_headers(downloader_cat.debug(false)); + } - // If the proxy refused to open a raw connection for us, see if - // it will handle the https communication directly. For other - // error codes, just return error. - if ((doc->get_status_code() / 100) == 4) { - BIO_free_all(bio); - return get_http_proxy(url, body); + if (!get_verify_ssl()) { + // If the proxy refused to open a raw connection for us, see + // if it will handle the https communication itself. For + // other error codes, just return error. (We can only + // reliably do this if verify_ssl is not true, since we're not + // sure whether to trust the proxy to do the verification for + // us.) + if ((doc->get_status_code() / 100) == 4) { + BIO_free_all(bio); + return get_http_proxy(url, body); + } } return NULL; } diff --git a/panda/src/downloader/httpClient.h b/panda/src/downloader/httpClient.h index bbb01f2f5f..6a1ef93a54 100644 --- a/panda/src/downloader/httpClient.h +++ b/panda/src/downloader/httpClient.h @@ -54,6 +54,7 @@ PUBLISHED: bool load_certificates(const Filename &filename); INLINE void set_verify_ssl(bool verify_ssl); + INLINE bool get_verify_ssl() const; PT(HTTPDocument) get_document(const URLSpec &url, const string &body = string()); @@ -73,6 +74,7 @@ private: URLSpec _proxy; SSL_CTX *_ssl_ctx; + bool _verify_ssl; static bool _ssl_initialized; };