src/lib/https.c f90dad3fd12f2d38f0407507297343d692a56a48

f90dad3fd12f2d38f0407507297343d692a56a48
galt
  Fri Nov 19 14:42:03 2021 -0800
Adding log setting to httpsCertCheck and making it the new default. This makes it even softer on users, gives us more time to prepare, only logs certs to stderr and only if run as a CGI so that SCRIPT_NAME env var is set. The user does not see anything diffent in behavior and output for log level, but we see cert issues in the log.

diff --git src/lib/https.c src/lib/https.c
index 3136fb5..7da0db0 100644
--- src/lib/https.c
+++ src/lib/https.c
@@ -294,47 +294,47 @@
 */
 if (depth > atoi(getenv("https_cert_check_depth")))
     {
     preverify_ok = 0;
     err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
     X509_STORE_CTX_set_error(ctx, err);
     }
 if (sameString(getenv("https_cert_check_verbose"), "on"))
     {
     fprintf(stderr,"depth=%d:%s\n", depth, buf);
     }
 if (!preverify_ok) 
     {
     if (getenv("SCRIPT_NAME"))  // CGI mode
 	{
-	fprintf(stderr, "verify error:num=%d:%s:depth=%d:%s\n", err,
-	    X509_verify_cert_error_string(err), depth, buf);
+	fprintf(stderr, "verify error:num=%d:%s:depth=%d:%s CGI=%s\n", err,
+	    X509_verify_cert_error_string(err), depth, buf, getenv("SCRIPT_NAME"));
 	}
+    if (!sameString(getenv("https_cert_check"), "log"))
+	{
 	char *cn = strstr(buf, "/CN=");
 	if (cn) cn+=4;  // strlen /CN=
 	warn("%s on %s", X509_verify_cert_error_string(err), cn);
 	}
-/*
-* At this point, err contains the last verification error. We can use
-* it for something special
-*/
+    }
+/* err contains the last verification error.  */
 if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT))
     {
     X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
     fprintf(stderr, "issuer= %s\n", buf);
     }
-if (sameString(getenv("https_cert_check"), "warn"))
+if (sameString(getenv("https_cert_check"), "warn") || sameString(getenv("https_cert_check"), "log"))
     return 1;
 else
     return preverify_ok;
 }
 
 
 static struct hash *initDomainWhiteListHash()
 /* Initialize once, has all the old existing domains 
  * for which cert checking is skipped since they are not compatible (yet) with openssl.*/
 {
 static struct hash *domainWhiteList = NULL;
 static pthread_mutex_t initInUseMutex = PTHREAD_MUTEX_INITIALIZER;
 
 if (!domainWhiteList)
     {
@@ -382,31 +382,31 @@
 	}
     pthread_mutex_unlock( &initInUseMutex );
     }
 return domainWhiteList;
 }
 
 
 int netConnectHttps(char *hostName, int port, boolean noProxy)
 /* Return socket for https connection with server or -1 if error. */
 {
 
 int fd=0;
 
 // https_cert_check env var can be abort warn or none.
 
-setenv("https_cert_check", "warn", 0);      // DEFAULT certificate check is warn.
+setenv("https_cert_check", "log", 0);      // DEFAULT certificate check is log.
 
 setenv("https_cert_check_depth", "9", 0);   // DEFAULT depth check level is 9.
 
 setenv("https_cert_check_verbose", "off", 0);   // DEFAULT verbose is off.
 
 setenv("https_cert_check_domain_exceptions", "", 0);   // DEFAULT space separated list is empty string.
 
 char *proxyUrl = getenv("https_proxy");
 
 if (noProxy)
     proxyUrl = NULL;
 char *connectHost;
 int connectPort;
 
 BIO *fbio=NULL;  // file descriptor bio
@@ -419,31 +419,31 @@
 ctx = SSL_CTX_new(SSLv23_client_method());
 
 fd_set readfds;
 fd_set writefds;
 int err;
 struct timeval tv;
 
 
 if (!sameString(getenv("https_cert_check"), "none"))
     {
     if (hashLookup(initDomainWhiteListHash(), hostName))
 	{
 	// old existing domains which are not (yet) compatible with openssl.
 	if (getenv("SCRIPT_NAME"))  // CGI mode
 	    {
-	    fprintf(stderr, "domain %s cert check skipped because it is white listed.\n", hostName);
+	    fprintf(stderr, "domain %s cert check skipped because it is white-listed as an exception.\n", hostName);
 	    }
 	}
     else
 	{
 
 	// verify peer cert of the server.
 	// Set TRUSTED_FIRST for openssl 1.0
 	// Fixes common issue openssl 1.0 had with with LetsEncrypt certs in the Fall of 2021.
 	X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_TRUSTED_FIRST);
 
         // This flag causes intermediate certificates in the trust store to be treated as trust-anchors, in the same way as the self-signed root CA certificates. 
         // This makes it possible to trust certificates issued by an intermediate CA without having to trust its ancestor root CA.
         // GNU-TLS uses it, and openssl probably will do it in the future. 
         // Currently this does not fix any of our known issues with users servers certs.
 	// X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);