From: Christopher Brannon <chris@the-brannons.com>
To: edbrowse-dev@lists.the-brannons.com
Subject: [Edbrowse-dev] [PATCH] Implement the "novs" directive.
Date: Thu, 11 Sep 2014 12:06:40 -0700 [thread overview]
Message-ID: <1410462400-1615-1-git-send-email-chris@the-brannons.com> (raw)
---
doc/usersguide.html | 19 ++++++++++++-------
src/buffers.c | 2 --
src/eb.h | 2 +-
src/eb.p | 1 +
src/fetchmail.c | 5 ++---
src/main.c | 16 ++++++++++------
src/sendmail.c | 3 ---
src/url.c | 35 +++++++++++++++++++++++++++++++++++
8 files changed, 61 insertions(+), 22 deletions(-)
diff --git a/doc/usersguide.html b/doc/usersguide.html
index ed365d8..add72db 100644
--- a/doc/usersguide.html
+++ b/doc/usersguide.html
@@ -2537,7 +2537,9 @@ Some browsers don't have this feature at all, so it's not the end of the world,
but in general it's a good idea to verify your secure connections,
unless it prevents you from getting to a website whose authenticity you accept at face value.
In that case you can use the vs command to turn the feature off.
-This is a toggle command; type vs again to turn the feature on.
+This is a toggle command; type vs again to turn the feature on.
+For another method of disabling verification on a site-by-site basis,
+see the novs directive in the configuration file.
<P>
Never send sensitive information,
@@ -3071,6 +3073,15 @@ A couple of youtube pages will consume 4 meg of javascript, so don't aim low unl
If you spend all day browsing, you better aim high, because edbrowse could unceremoniously exit if it runs out of javascript space.
<P>
+novs = somesite.com
+<P>
+Indicate hostnames for which SSL certificate verification should never
+be performed.
+This directive is useful for sites that use self-signed certificates,
+since these cannot be verified.
+It should probably not be used for anything serious, such as a site that
+is going to receive your credit card number.
+<P>
inserver = pop3.some-domain.com
<br>
inport = 110
@@ -3110,12 +3121,6 @@ nofetch
Do not fetch mail from this account through the -f option.
<P>
-nocert
-<P>
-This account uses secure connections, i.e. pop3s or smtps,
-but there is no certificate for the secure server.
-
-<P>
login = eklhad
<br>
password = secret
diff --git a/src/buffers.c b/src/buffers.c
index dcd862c..b2f52fc 100644
--- a/src/buffers.c
+++ b/src/buffers.c
@@ -3172,8 +3172,6 @@ et_go:
if (stringEqual(line, "vs")) {
verifyCertificates ^= 1;
- curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYPEER,
- verifyCertificates);
if (helpMessagesOn || debugLevel >= 1)
i_puts(verifyCertificates + MSG_CertifyOff);
return eb_true;
diff --git a/src/eb.h b/src/eb.h
index 13f279c..09f27c5 100644
--- a/src/eb.h
+++ b/src/eb.h
@@ -159,7 +159,7 @@ struct MACCOUNT { /* pop3 account */
char *inurl, *outurl;
int inport, outport;
uchar inssl, outssl;
- char nofetch, nocert;
+ char nofetch;
};
extern struct MACCOUNT accounts[]; /* all the email accounts */
extern int maxAccount; /* how many email accounts specified */
diff --git a/src/eb.p b/src/eb.p
index 7bbb250..578090a 100644
--- a/src/eb.p
+++ b/src/eb.p
@@ -70,6 +70,7 @@ char *encodePostData(const char *s);
char *decodePostData(const char *data, const char *name, int seqno);
void decodeMailURL(const char *url, char **addr_p, char **subj_p,
char **body_p);
+void addNovsHost(char *host);
CURLcode setCurlURL(CURL *h, const char *url);
/* sourcefile=auth.c */
diff --git a/src/fetchmail.c b/src/fetchmail.c
index b5d375a..9943cb5 100644
--- a/src/fetchmail.c
+++ b/src/fetchmail.c
@@ -328,7 +328,7 @@ static struct eb_curl_callback_data callback_data = {
};
static CURL *newFetchmailHandle(const char *mailbox, const char *username,
- const char *password, int do_certs)
+ const char *password)
{
CURLcode res;
CURL *handle = curl_easy_init();
@@ -344,7 +344,6 @@ static CURL *newFetchmailHandle(const char *mailbox, const char *username,
if (res != CURLE_OK)
i_printfExit(MSG_LibcurlNoInit);
- curl_easy_setopt(handle, CURLOPT_SSL_VERIFYPEER, do_certs);
res = curl_easy_setopt(handle, CURLOPT_USERNAME, username);
if (res != CURLE_OK) {
ebcurl_setError(res, mailbox);
@@ -493,7 +492,7 @@ int fetchMail(int account)
mailstring = initString(&mailstring_l);
CURL *mail_handle =
- newFetchmailHandle(mailbox_url, login, pass, !a->nocert);
+ newFetchmailHandle(mailbox_url, login, pass);
res_curl = count_messages(mail_handle, mailbox_url, &message_count);
if (res_curl != CURLE_OK)
goto fetchmail_cleanup;
diff --git a/src/main.c b/src/main.c
index a889316..8181f97 100644
--- a/src/main.c
+++ b/src/main.c
@@ -166,7 +166,7 @@ static void readConfigFile(void)
"adbook", "ipblack", "maildir", "agent",
"jar", "nojs", "spamcan",
"webtimer", "mailtimer", "certfile", "datasource", "proxy",
- "linelength", "localizeweb", "jspool",
+ "linelength", "localizeweb", "jspool", "novs",
0
};
@@ -662,6 +662,15 @@ putc:
jsPool = 1000;
continue;
+ case 32:
+ if (*v == '.')
+ ++v;
+ q = strchr(v, '.');
+ if (!q || q[1] == 0)
+ i_printfExit(MSG_ERBC_DomainDot, ln, v);
+ addNovsHost(v);
+ continue;
+
default:
i_printfExit(MSG_ERBC_KeywordNYI, ln, s);
} /* switch */
@@ -682,11 +691,6 @@ nokeyword:
continue;
}
- if (stringEqual(s, "nocert") && mailblock == 1) {
- act->nocert = 1;
- continue;
- }
-
if (*s == '\x82' && s[1] == 0) {
if (mailblock == 1) {
++maxAccount;
diff --git a/src/sendmail.c b/src/sendmail.c
index 9ff87d6..5b311a3 100644
--- a/src/sendmail.c
+++ b/src/sendmail.c
@@ -745,7 +745,6 @@ static CURL *newSendmailHandle(const struct MACCOUNT *account,
const char *outurl, const char *reply,
struct curl_slist *recipients)
{
- int do_certs = verifyCertificates && !account->nocert;
CURLcode res = CURLE_OK;
CURL *handle = curl_easy_init();
if (!handle) {
@@ -766,8 +765,6 @@ static CURL *newSendmailHandle(const struct MACCOUNT *account,
goto new_handle_cleanup;
}
- curl_easy_setopt(handle, CURLOPT_SSL_VERIFYPEER, do_certs);
-
if (account->outssl == 2)
curl_easy_setopt(handle, CURLOPT_USE_SSL, CURLUSESSL_ALL);
diff --git a/src/url.c b/src/url.c
index 492913a..49540fc 100644
--- a/src/url.c
+++ b/src/url.c
@@ -1006,6 +1006,38 @@ const char *findProxyForURL(const char *url)
return findProxyInternal(getProtURL(url), getHostURL(url));
} /* findProxyForURL */
+static char **novs_hosts;
+size_t novs_hosts_avail;
+size_t novs_hosts_max;
+
+void addNovsHost(char *host)
+{
+ if (novs_hosts_max == 0) {
+ novs_hosts_max = 32;
+ novs_hosts = allocZeroMem(novs_hosts_max);
+ } else if (novs_hosts_avail >= novs_hosts_max) {
+ novs_hosts_max *= 2;
+ novs_hosts = reallocMem(novs_hosts, novs_hosts_max);
+ }
+ novs_hosts[novs_hosts_avail++] = host;
+} /* addNovsHost */
+
+/* Return true if the cert for this host should be verified. */
+static eb_bool mustVerifyHost(const char *host)
+{
+ size_t i;
+
+ if (!verifyCertificates)
+ return eb_false;
+
+ for (i = 0; i < novs_hosts_avail; i++) {
+ if (!strcasecmp(host, novs_hosts[i])) {
+ return eb_false;
+ }
+ }
+ return eb_true;
+} /* mustVerifyHost */
+
CURLcode setCurlURL(CURL * h, const char *url)
{
const char *proxy = findProxyForURL(url);
@@ -1013,6 +1045,9 @@ CURLcode setCurlURL(CURL * h, const char *url)
proxy = "";
else
debugPrint(3, "proxy %s", proxy);
+ const char *host = getHostURL(url);
curl_easy_setopt(h, CURLOPT_PROXY, proxy);
+ curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYPEER,
+ mustVerifyHost(host));
return curl_easy_setopt(h, CURLOPT_URL, url);
} /* setCurlURL */
--
1.8.5.5
next reply other threads:[~2014-09-11 19:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-11 19:06 Christopher Brannon [this message]
2014-09-12 21:10 Karl Dahlke
2014-09-12 21:34 ` Chris Brannon
2014-09-16 20:41 ` Adam Thompson
2014-09-16 20:58 ` Chris Brannon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1410462400-1615-1-git-send-email-chris@the-brannons.com \
--to=chris@the-brannons.com \
--cc=edbrowse-dev@lists.the-brannons.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).