"VerifyPeer" may be used to disable peer SSL certificate verification and
"VerifyHost" may be used to disable peer host name (as provided by the SSL
certificate's CA or SAN fields) verification.
Using both options is similar to curl's "--insecure" command line
option.
As requested by Joerg Jaspert.
Signed-off-by: Sebastian Harl <sh@tokkee.org>
Signed-off-by: Florian Forster <octo@huhu.verplant.org>
-static char *url = NULL;
-static char *user = NULL;
-static char *pass = NULL;
-static char *cacert = NULL;
+static char *url = NULL;
+static char *user = NULL;
+static char *pass = NULL;
+static char *verify_peer = NULL;
+static char *verify_host = NULL;
+static char *cacert = NULL;
static CURL *curl = NULL;
static CURL *curl = NULL;
"URL",
"User",
"Password",
"URL",
"User",
"Password",
+ "VerifyPeer",
+ "VerifyHost",
"CACert"
};
static int config_keys_num = STATIC_ARRAY_SIZE (config_keys);
"CACert"
};
static int config_keys_num = STATIC_ARRAY_SIZE (config_keys);
return (config_set (&user, value));
else if (strcasecmp (key, "password") == 0)
return (config_set (&pass, value));
return (config_set (&user, value));
else if (strcasecmp (key, "password") == 0)
return (config_set (&pass, value));
+ else if (strcasecmp (key, "verifypeer") == 0)
+ return (config_set (&verify_peer, value));
+ else if (strcasecmp (key, "verifyhost") == 0)
+ return (config_set (&verify_host, value));
else if (strcasecmp (key, "cacert") == 0)
return (config_set (&cacert, value));
else
else if (strcasecmp (key, "cacert") == 0)
return (config_set (&cacert, value));
else
curl_easy_setopt (curl, CURLOPT_URL, url);
curl_easy_setopt (curl, CURLOPT_URL, url);
+ if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0))
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1);
+ }
+ else
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
+ }
+
+ if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0))
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2);
+ }
+ else
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
+ }
+
if (cacert != NULL)
{
curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);
if (cacert != NULL)
{
curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);
Optional password needed for authentication.
Optional password needed for authentication.
+=item B<VerifyPeer> B<true|false>
+
+Enable or disable peer SSL certificate verification. See
+L<http://curl.haxx.se/docs/sslcerts.html> for details. Enabled by default.
+
+=item B<VerifyHost> B<true|false>
+
+Enable or disable peer host name verification. If enabled, the plugin checks
+if the C<Common Name> or a C<Subject Alternate Name> field of the SSL
+certificate matches the host name provided by the B<URL> option. If this
+identity check fails, the connection is aborted. Obviously, only works when
+connecting to a SSL enabled server. Enabled by default.
+
=item B<CACert> I<File>
File that holds one or more SSL certificates. If you want to use HTTPS you will
=item B<CACert> I<File>
File that holds one or more SSL certificates. If you want to use HTTPS you will
Optional password needed for authentication.
Optional password needed for authentication.
+=item B<VerifyPeer> B<true|false>
+
+Enable or disable peer SSL certificate verification. See
+L<http://curl.haxx.se/docs/sslcerts.html> for details. Enabled by default.
+
+=item B<VerifyHost> B<true|false>
+
+Enable or disable peer host name verification. If enabled, the plugin checks
+if the C<Common Name> or a C<Subject Alternate Name> field of the SSL
+certificate matches the host name provided by the B<URL> option. If this
+identity check fails, the connection is aborted. Obviously, only works when
+connecting to a SSL enabled server. Enabled by default.
+
=item B<CACert> I<File>
File that holds one or more SSL certificates. If you want to use HTTPS you will
=item B<CACert> I<File>
File that holds one or more SSL certificates. If you want to use HTTPS you will
-static char *url = NULL;
-static char *user = NULL;
-static char *pass = NULL;
-static char *cacert = NULL;
+static char *url = NULL;
+static char *user = NULL;
+static char *pass = NULL;
+static char *verify_peer = NULL;
+static char *verify_host = NULL;
+static char *cacert = NULL;
static CURL *curl = NULL;
static CURL *curl = NULL;
"URL",
"User",
"Password",
"URL",
"User",
"Password",
+ "VerifyPeer",
+ "VerifyHost",
"CACert"
};
static int config_keys_num = STATIC_ARRAY_SIZE (config_keys);
"CACert"
};
static int config_keys_num = STATIC_ARRAY_SIZE (config_keys);
return (config_set (&user, value));
else if (strcasecmp (key, "password") == 0)
return (config_set (&pass, value));
return (config_set (&user, value));
else if (strcasecmp (key, "password") == 0)
return (config_set (&pass, value));
+ else if (strcasecmp (key, "verifypeer") == 0)
+ return (config_set (&verify_peer, value));
+ else if (strcasecmp (key, "verifyhost") == 0)
+ return (config_set (&verify_host, value));
else if (strcasecmp (key, "cacert") == 0)
return (config_set (&cacert, value));
else
else if (strcasecmp (key, "cacert") == 0)
return (config_set (&cacert, value));
else
curl_easy_setopt (curl, CURLOPT_URL, url);
}
curl_easy_setopt (curl, CURLOPT_URL, url);
}
+ if ((verify_peer == NULL) || (strcmp (verify_peer, "true") == 0))
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 1);
+ }
+ else
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0);
+ }
+
+ if ((verify_host == NULL) || (strcmp (verify_host, "true") == 0))
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 2);
+ }
+ else
+ {
+ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0);
+ }
+
if (cacert != NULL)
{
curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);
if (cacert != NULL)
{
curl_easy_setopt (curl, CURLOPT_CAINFO, cacert);