From e9549eba3484ea7ca2db6fd2094239efb751144e Mon Sep 17 00:00:00 2001
From: "Gerd v. Egidy" <gerd@egidy.de>
Date: Sun, 7 Aug 2022 12:56:41 +0200
Subject: [PATCH] don't do certificate verification for https downloads in the
 lua script

it is usually run during initramfs: we don't have a CA database there, so
all https downloads would fail otherwise.

Not doing cert verification at this step is clearly documented, so no
unexpected security risk for the user.
---
 airootfs/usr/bin/sysrescue-configuration.lua | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/airootfs/usr/bin/sysrescue-configuration.lua b/airootfs/usr/bin/sysrescue-configuration.lua
index 7b96abf..49e8626 100755
--- a/airootfs/usr/bin/sysrescue-configuration.lua
+++ b/airootfs/usr/bin/sysrescue-configuration.lua
@@ -24,6 +24,9 @@ local lfs = require('lfs')
 local yaml = require('yaml')
 local json = require("dkjson")
 local request = require("http.request")
+local tls_ctx = require "http.tls".new_client_context()
+local tls_ctx_noverify = require "openssl.ssl.context".VERIFY_NONE
+local tls_ctx_doverify = require "openssl.ssl.context".VERIFY_PEER
 
 -- ==============================================================================
 -- Utility functions
@@ -166,6 +169,11 @@ end
 function download_file(fileurl)
     local req_timeout = 10
     local req = request.new_from_uri(fileurl)
+
+    --- we (usually) run during initramfs where the CA database is not available, so don't verify certificates
+    tls_ctx:setVerify(tls_ctx_noverify)
+    req.ctx = tls_ctx
+
     local headers, stream = req:go(req_timeout)
 
     if headers == nil then