src/inc/net.h 6dd4b07138eb8f479cc4205036c9d6a1794a9f80

6dd4b07138eb8f479cc4205036c9d6a1794a9f80
galt
  Mon Nov 15 13:30:07 2021 -0800
Add domain exceptions whitelist for allowing us to configure a small number of exceptions that are old servers that are still incompatible with openssl. hg.conf setting httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions. This setting is not intended to be used for new servers which should just be advised on correct openssl compatibility, which usually means getting their server to output their intermediate certs as well, or even the cert chain which is typically just 3 certs. refs #28458

diff --git src/inc/net.h src/inc/net.h
index 3e4f999..86a6699 100644
--- src/inc/net.h
+++ src/inc/net.h
@@ -213,30 +213,31 @@
 void setAuthorization(struct netParsedUrl npu, char *authHeader, struct dyString *dy);
 /* Set the specified authorization header with BASIC auth base64-encoded user and password */
 
 boolean checkNoProxy(char *host);
 /* See if host endsWith element on no_proxy list. */
 
 int netHttpConnect(char *url, char *method, char *protocol, char *agent, char *optionalHeader);
 /* Parse URL, connect to associated server on port, and send most of
  * the request to the server.  If specified in the url send user name
  * and password too.  Typically the "method" will be "GET" or "POST"
  * and the agent will be the name of your program or
  * library. optionalHeader may be NULL or contain additional header
  * lines such as cookie info. 
  * Proxy support via hg.conf httpProxy or env var http_proxy
  * Cert verification control via hg.conf httpsCertCheck or env var https_cert_check
+ * Cert verify domains exception white-list via hg.conf httpsCertCheckDomainExceptions or env var https_cert_check_domain_exceptions
  * Return data socket, or -1 if error.*/
 
 int netHttpGetMultiple(char *url, struct slName *queries, void *userData,
 		       void (*responseCB)(void *userData, char *req,
 					  char *hdr, struct dyString *body));
 /* Given an URL which is the base of all requests to be made, and a 
  * linked list of queries to be appended to that base and sent in as 
  * requests, send the requests as a batch and read the HTTP response 
  * headers and bodies.  If not all the requests get responses (i.e. if 
  * the server is ignoring Keep-Alive or is imposing a limit), try again 
  * until we can't connect or until all requests have been served. 
  * For each HTTP response, do a callback. */
 
 char *transferParamsToRedirectedUrl(char *url, char *newUrl);
 /* Transfer password, byteRange, and any other parameters from url to newUrl and return result.