Also set CURLOPT_SSL_VERIFYHOST=0 when "verify-https-binary-caches" is false

This makes that option even more insecure, by also not checking the SSL host.

But without this parameter, one can still get SSL errors even when
"verify-https-binary-caches" is false, which is unexpected IMO.
This commit is contained in:
Utku Demir 2015-09-25 22:34:08 +03:00
parent aaf8a1c16b
commit a49514a2e2

View file

@ -80,7 +80,12 @@ sub addRequest {
$curl->setopt(CURLOPT_WRITEDATA, $fh); $curl->setopt(CURLOPT_WRITEDATA, $fh);
$curl->setopt(CURLOPT_FOLLOWLOCATION, 1); $curl->setopt(CURLOPT_FOLLOWLOCATION, 1);
$curl->setopt(CURLOPT_CAINFO, $caBundle) if defined $caBundle; $curl->setopt(CURLOPT_CAINFO, $caBundle) if defined $caBundle;
$curl->setopt(CURLOPT_SSL_VERIFYPEER, 0) unless isTrue($Nix::Config::config{"verify-https-binary-caches"} // "1");
unless (isTrue($Nix::Config::config{"verify-https-binary-caches"} // "1")) {
$curl->setopt(CURLOPT_SSL_VERIFYPEER, 0);
$curl->setopt(CURLOPT_SSL_VERIFYHOST, 0);
}
$curl->setopt(CURLOPT_USERAGENT, $userAgent); $curl->setopt(CURLOPT_USERAGENT, $userAgent);
$curl->setopt(CURLOPT_NOBODY, 1) if $head; $curl->setopt(CURLOPT_NOBODY, 1) if $head;
$curl->setopt(CURLOPT_FAILONERROR, 1); $curl->setopt(CURLOPT_FAILONERROR, 1);