50f971f315c432f4d11d090e3ccc180d1ad3c421
galt
  Sat Nov 6 10:32:01 2021 -0700
Revert "Add trust_first flag to https.c for verify makes openssl 1.0 compatible with LetsEncrypt flags. fixes #28332"

This reverts commit ea0ea7155718c9acacc21f07b2d8cd247a2e9707.

This cert verify functionality will return in a future release with more features and testing.

diff --git src/lib/https.c src/lib/https.c
index c23254f..0be0daa 100644
--- src/lib/https.c
+++ src/lib/https.c
@@ -101,41 +101,49 @@
 
 BIO *fbio=NULL;  // file descriptor bio
 BIO *sbio=NULL;  // ssl bio
 SSL_CTX *ctx;
 SSL *ssl;
 
 openSslInit();
 
 ctx = SSL_CTX_new(SSLv23_client_method());
 
 fd_set readfds;
 fd_set writefds;
 int err;
 struct timeval tv;
 
-// Set TRUSTED_FIRST for openssl 1.0
-// Fixes common issue openssl 1.0 had with with LetsEncrypt certs in the Fall of 2021.
-X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_TRUSTED_FIRST);
 
-// verify peer cert of the server.
-SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
-if (!SSL_CTX_set_default_verify_paths(ctx)) 
+/* TODO checking certificates 
+
+char *certFile = NULL;
+char *certPath = NULL;
+if (certFile || certPath)
     {
-    xerr("SSL set default verify paths failed");
+    SSL_CTX_load_verify_locations(ctx,certFile,certPath);
+#if (OPENSSL_VERSION_NUMBER < 0x0090600fL)
+    SSL_CTX_set_verify_depth(ctx,1);
+#endif
     }
 
+// verify paths and mode.
+
+*/
+
+
+
 // Don't want any retries since we are non-blocking bio now
 // This is available on newer versions of openssl
 //SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
 
 // Support for Http Proxy
 struct netParsedUrl pxy;
 if (proxyUrl)
     {
     netParseUrl(proxyUrl, &pxy);
     if (!sameString(pxy.protocol, "http"))
 	{
 	char s[256];	
 	safef(s, sizeof s, "Unknown proxy protocol %s in %s. Should be http.", pxy.protocol, proxyUrl);
 	xerr(s);
 	goto cleanup;
@@ -261,30 +269,38 @@
 	{
 	xerr("select() error");
 	goto cleanup;
 	}
 
     if (err == 0) 
 	{
 	char s[256];	
 	safef(s, sizeof s, "connection timeout to %s", params->hostName);
 	xerr(s);
 	goto cleanup;
 	}
     }
 
 
+/* TODO checking certificates 
+
+if (certFile || certPath)
+    if (!check_cert(ssl, host))
+	return -1;
+
+*/
+
 /* we need to wait on both the user's socket and the BIO SSL socket 
  * to see if we need to ferry data from one to the other */
 
 
 char sbuf[32768];  // socket buffer sv[1] to user
 char bbuf[32768];  // bio buffer
 int srd = 0;
 int swt = 0;
 int brd = 0;
 int bwt = 0;
 while (1) 
     {
 
     // Do NOT move this outside the while loop. 
     /* Get underlying file descriptor, needed for select call */