nchevsky/systemrescue-zfs
1
0
Fork 0
mirror of https://github.com/nchevsky/systemrescue-zfs.git synced 2026-01-26 02:14:14 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

don't do certificate verification for https downloads in the lua script

Browse source 
it is usually run during initramfs: we don't have a CA database there, so
all https downloads would fail otherwise.

Not doing cert verification at this step is clearly documented, so no
unexpected security risk for the user.
This commit is contained in:
Gerd v. Egidy 2022-08-07 12:56:41 +02:00
parent 81db3b13db
commit e9549eba34
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
airootfs/usr/bin/sysrescue-configuration.lua
View file

@ -24,6 +24,9 @@ local lfs = require('lfs')
local yaml = require('yaml')
local json = require("dkjson")
local request = require("http.request")
local tls_ctx = require "http.tls".new_client_context()
local tls_ctx_noverify = require "openssl.ssl.context".VERIFY_NONE
local tls_ctx_doverify = require "openssl.ssl.context".VERIFY_PEER
-- ==============================================================================
-- Utility functions
@ -166,6 +169,11 @@ end
function download_file(fileurl)
local req_timeout = 10
local req = request.new_from_uri(fileurl)
--- we (usually) run during initramfs where the CA database is not available, so don't verify certificates
tls_ctx:setVerify(tls_ctx_noverify)
req.ctx = tls_ctx
local headers, stream = req:go(req_timeout)
if headers == nil then