From b872ff0237d410c4bb25db896634fa3da6dc8c0c Mon Sep 17 00:00:00 2001 From: klauspost Date: Thu, 29 Oct 2015 16:42:25 +0100 Subject: [PATCH] Add option to disable server certificate verification. The option name mirrors the 'wget' option (also `--no-check-certificate`). The cURL equivalent is called `--insecure`, which is a bit unclear. Put in the "developers" section in documentation with proper warnings. Fixes #168 --- docs/content/docs.md | 12 ++++++++++++ fs/config.go | 38 +++++++++++++++++++++++++------------- 2 files changed, 37 insertions(+), 13 deletions(-) diff --git a/docs/content/docs.md b/docs/content/docs.md index bacbf6a2b..59151e219 100644 --- a/docs/content/docs.md +++ b/docs/content/docs.md @@ -294,6 +294,18 @@ here which are used for testing. These start with remote name eg Write cpu profile to file. This can be analysed with `go tool pprof`. +### --no-check-certificate=true/false ### + +`--no-check-certificate` controls whether a client verifies the +server's certificate chain and host name. +If `--no-check-certificate` is true, TLS accepts any certificate +presented by the server and any host name in that certificate. +In this mode, TLS is susceptible to man-in-the-middle attacks. + +This option defaults to `false`. + +**This should be used only for testing.** + Filtering --------- diff --git a/fs/config.go b/fs/config.go index aa0800aff..36b87bf2c 100644 --- a/fs/config.go +++ b/fs/config.go @@ -17,6 +17,7 @@ import ( "strings" "time" + "crypto/tls" "github.com/Unknwon/goconfig" "github.com/mreiferson/go-httpclient" "github.com/spf13/pflag" @@ -53,6 +54,7 @@ var ( timeout = pflag.DurationP("timeout", "", 5*60*time.Second, "IO idle timeout") dumpHeaders = pflag.BoolP("dump-headers", "", false, "Dump HTTP headers - may contain sensitive info") dumpBodies = pflag.BoolP("dump-bodies", "", false, "Dump HTTP headers and bodies - may contain sensitive info") + skipVerify = pflag.BoolP("no-check-certificate", "", false, "Do not verify the server SSL certificate. Insecure.") bwLimit SizeSuffix ) @@ -148,19 +150,20 @@ func Reveal(y string) string { // ConfigInfo is filesystem config options type ConfigInfo struct { - Verbose bool - Quiet bool - DryRun bool - CheckSum bool - SizeOnly bool - ModifyWindow time.Duration - Checkers int - Transfers int - ConnectTimeout time.Duration // Connect timeout - Timeout time.Duration // Data channel timeout - DumpHeaders bool - DumpBodies bool - Filter *Filter + Verbose bool + Quiet bool + DryRun bool + CheckSum bool + SizeOnly bool + ModifyWindow time.Duration + Checkers int + Transfers int + ConnectTimeout time.Duration // Connect timeout + Timeout time.Duration // Data channel timeout + DumpHeaders bool + DumpBodies bool + Filter *Filter + InsecureSkipVerify bool // Skip server certificate verification } // Transport returns an http.RoundTripper with the correct timeouts @@ -187,6 +190,14 @@ func (ci *ConfigInfo) Transport() http.RoundTripper { // ReadWriteTimeout, if non-zero, will set a deadline for every Read and // Write operation on the request connection. ReadWriteTimeout: ci.Timeout, + + // InsecureSkipVerify controls whether a client verifies the + // server's certificate chain and host name. + // If InsecureSkipVerify is true, TLS accepts any certificate + // presented by the server and any host name in that certificate. + // In this mode, TLS is susceptible to man-in-the-middle attacks. + // This should be used only for testing. + TLSClientConfig: &tls.Config{InsecureSkipVerify: ci.InsecureSkipVerify}, } if ci.DumpHeaders || ci.DumpBodies { return NewLoggedTransport(t, ci.DumpBodies) @@ -239,6 +250,7 @@ func LoadConfig() { Config.SizeOnly = *sizeOnly Config.DumpHeaders = *dumpHeaders Config.DumpBodies = *dumpBodies + Config.InsecureSkipVerify = *skipVerify ConfigPath = *configFile