From eaa703ef062fbf5f215ceeaedac9aa27c037cd81 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.org>
Date: Fri, 22 Apr 2022 17:52:33 +0200
Subject: [PATCH] MEDIUM: httpclient/ssl: verify is configurable and disabled
 by default

Disable temporary the SSL verify by default in the httpclient. The
initialization of the @system-ca during the init of the httpclient is a
problem in some cases.

The verify can be reactivated with "httpclient-ssl-verify required" in
the global section.
---
 src/http_client.c | 41 +++++++++++++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 4 deletions(-)

diff --git a/src/http_client.c b/src/http_client.c
index 0614ae770..668489a75 100644
--- a/src/http_client.c
+++ b/src/http_client.c
@@ -41,9 +41,11 @@ static struct proxy *httpclient_proxy;
 static struct server *httpclient_srv_raw;
 #ifdef USE_OPENSSL
 static struct server *httpclient_srv_ssl;
+static int httpclient_ssl_verify = SSL_SOCK_VERIFY_NONE;
 #endif
 static struct applet httpclient_applet;
 
+
 /* --- This part of the file implement an HTTP client over the CLI ---
  * The functions will be  starting by "hc_cli" for "httpclient cli"
  */
@@ -1043,10 +1045,13 @@ static int httpclient_precheck()
 	if (!httpclient_srv_ssl->id)
 		goto err;
 
-	httpclient_srv_ssl->ssl_ctx.verify = SSL_SOCK_VERIFY_REQUIRED;
-	httpclient_srv_ssl->ssl_ctx.ca_file = strdup("@system-ca");
-	if (!ssl_store_load_locations_file(httpclient_srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT))
-		goto err;
+	httpclient_srv_ssl->ssl_ctx.verify = httpclient_ssl_verify;
+
+	if (httpclient_ssl_verify == SSL_SOCK_VERIFY_REQUIRED) {
+		httpclient_srv_ssl->ssl_ctx.ca_file = strdup("@system-ca");
+		if (!ssl_store_load_locations_file(httpclient_srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT))
+			goto err;
+	}
 
 #endif
 
@@ -1139,3 +1144,31 @@ err:
 
 REGISTER_PRE_CHECK(httpclient_precheck);
 REGISTER_POST_CHECK(httpclient_postcheck);
+
+#ifdef USE_OPENSSL
+static int httpclient_parse_global_verify(char **args, int section_type, struct proxy *curpx,
+                                        const struct proxy *defpx, const char *file, int line,
+                                        char **err)
+{
+	if (too_many_args(1, args, err, NULL))
+		return -1;
+
+	if (strcmp(args[1],"none") == 0)
+		httpclient_ssl_verify = SSL_SERVER_VERIFY_NONE;
+	else if (strcmp(args[1],"required") == 0)
+		httpclient_ssl_verify = SSL_SERVER_VERIFY_REQUIRED;
+	else {
+		ha_alert("parsing [%s:%d] : '%s' expects 'none' or 'required' as argument.\n", file, line, args[0]);
+		return -1;
+	}
+
+	return 0;
+}
+
+static struct cfg_kw_list cfg_kws = {ILH, {
+	{ CFG_GLOBAL, "httpclient-ssl-verify", httpclient_parse_global_verify },
+	{ 0, NULL, NULL },
+}};
+
+INITCALL1(STG_REGISTER, cfg_register_keywords, &cfg_kws);
+#endif