Index: /trunk/include/iprt/http.h =================================================================== --- /trunk/include/iprt/http.h (revision 78065) +++ /trunk/include/iprt/http.h (revision 78066) @@ -319,4 +319,12 @@ /** + * Gets the follow redirect setting. + * + * @returns cMaxRedirects value, 0 means not to follow. + * @param hHttp The HTTP client handle. + */ +RTR3DECL(uint32_t) RTHttpGetFollowRedirects(RTHTTP hHttp); + +/** * Set custom raw headers. * @@ -468,4 +476,25 @@ */ RTR3DECL(int) RTHttpGatherCaCertsInFile(const char *pszCaFile, uint32_t fFlags, PRTERRINFO pErrInfo); + +/** + * Set whether to verify the peer's SSL certificate. + * + * The default is to verify it. It can however sometimes be useful or even + * necessary to skip this. + * + * @returns iprt status code. + * + * @param hHttp The HTTP client handle. + * @param fVerify Verify the certificate if @a true. + */ +RTR3DECL(int) RTHttpSetVerifyPeer(RTHTTP hHttp, bool fVerify); + +/** + * Get the state of the peer's SSL certificate setting. + * + * @returns true if we verify the SSL certificate, false if not. + * @param hHttp The HTTP client handle. + */ +RTR3DECL(bool) RTHttpGetVerifyPeer(RTHTTP hHttp); /** Index: /trunk/include/iprt/mangling.h =================================================================== --- /trunk/include/iprt/mangling.h (revision 78065) +++ /trunk/include/iprt/mangling.h (revision 78066) @@ -1131,5 +1131,8 @@ # define RTHeapSimpleSize RT_MANGLER(RTHeapSimpleSize) # define RTHttpGetFile RT_MANGLER(RTHttpGetFile) +# define RTHttpGetFollowRedirects RT_MANGLER(RTHttpGetFollowRedirects) # define RTHttpSetFollowRedirects RT_MANGLER(RTHttpSetFollowRedirects) +# define RTHttpGetVerifyPeer RT_MANGLER(RTHttpGetVerifyPeer) +# define RTHttpSetVerifyPeer RT_MANGLER(RTHttpSetVerifyPeer) # define RTHttpUseSystemProxySettings RT_MANGLER(RTHttpUseSystemProxySettings) # define RTIniFileCreateFromVfsFile RT_MANGLER(RTIniFileCreateFromVfsFile) Index: /trunk/src/VBox/Frontends/VirtualBox/src/net/UINetworkReply.cpp =================================================================== --- /trunk/src/VBox/Frontends/VirtualBox/src/net/UINetworkReply.cpp (revision 78065) +++ /trunk/src/VBox/Frontends/VirtualBox/src/net/UINetworkReply.cpp (revision 78066) @@ -777,4 +777,14 @@ NOREF(pStaticErrInfo); int rc; + + /* + * Must disable SSL certification verification here as we cannot use the + * SSL certificates before we've downloaded them. We must also enable + * redirections in case the certificates moves around. + */ + bool const fSavedVerifyPeer = RTHttpGetVerifyPeer(hHttp); + uint32_t const cSavedMaxRedirects = RTHttpGetFollowRedirects(hHttp); + RTHttpSetVerifyPeer(hHttp, false); + RTHttpSetFollowRedirects(hHttp, 8); /* @@ -810,4 +820,6 @@ { RTHttpFreeResponse(pvRootsZip); + RTHttpSetVerifyPeer(hHttp, fSavedVerifyPeer); + RTHttpSetFollowRedirects(hHttp, cSavedMaxRedirects); return; } @@ -845,4 +857,7 @@ } } + + RTHttpSetVerifyPeer(hHttp, fSavedVerifyPeer); + RTHttpSetFollowRedirects(hHttp, cSavedMaxRedirects); } Index: /trunk/src/VBox/Frontends/VirtualBox/src/net/tstSSLCertDownloads.cpp =================================================================== --- /trunk/src/VBox/Frontends/VirtualBox/src/net/tstSSLCertDownloads.cpp (revision 78065) +++ /trunk/src/VBox/Frontends/VirtualBox/src/net/tstSSLCertDownloads.cpp (revision 78066) @@ -57,4 +57,11 @@ int rc; + bool const fSavedVerifyPeer = RTHttpGetVerifyPeer(TestObj.m_hHttp); + uint32_t const cSavedMaxRedirects = RTHttpGetFollowRedirects(TestObj.m_hHttp); + RTTESTI_CHECK_RC(RTHttpSetVerifyPeer(TestObj.m_hHttp, false), VINF_SUCCESS); + RTTESTI_CHECK_RC(RTHttpSetFollowRedirects(TestObj.m_hHttp, 8), VINF_SUCCESS); + RTTESTI_CHECK(RTHttpGetVerifyPeer(TestObj.m_hHttp) == false); + RTTESTI_CHECK(RTHttpGetFollowRedirects(TestObj.m_hHttp) == 8); + /* ZIP files: */ for (uint32_t iUrl = 0; iUrl < RT_ELEMENTS(s_apszRootsZipUrls); iUrl++) @@ -113,4 +120,7 @@ RTTESTI_CHECK(RTCrStoreRelease(hStore) == 0); + RTTESTI_CHECK_RC(RTHttpSetVerifyPeer(TestObj.m_hHttp, fSavedVerifyPeer), VINF_SUCCESS); + RTTESTI_CHECK_RC(RTHttpSetFollowRedirects(TestObj.m_hHttp, cSavedMaxRedirects), VINF_SUCCESS); + /* * Now check the gathering of certificates on the system doesn't crash. Index: /trunk/src/VBox/Runtime/generic/http-curl.cpp =================================================================== --- /trunk/src/VBox/Runtime/generic/http-curl.cpp (revision 78065) +++ /trunk/src/VBox/Runtime/generic/http-curl.cpp (revision 78066) @@ -188,4 +188,6 @@ * Zero if not automatically following (default). */ uint32_t cMaxRedirects; + /** Whether to check if Peer lies about his SSL certificate. */ + bool fVerifyPeer; /** @} */ @@ -384,4 +386,5 @@ pThis->fUseSystemProxySettings = true; pThis->cMaxRedirects = 0; /* no automatic redir following */ + pThis->fVerifyPeer = true; pThis->BodyOutput.pHttp = pThis; pThis->HeadersOutput.pHttp = pThis; @@ -418,4 +421,6 @@ curl_easy_reset(pThis->pCurl); + /** @todo check if CURLOPT_SSL_VERIFYPEER is affected by curl_easy_reset. */ + if (!(fFlags & RTHTTP_RESET_F_KEEP_HEADERS)) rtHttpFreeHeaders(pThis); @@ -523,4 +528,12 @@ } return VINF_SUCCESS; +} + + +RTR3DECL(uint32_t) RTHttpGetFollowRedirects(RTHTTP hHttp) +{ + PRTHTTPINTERNAL pThis = hHttp; + RTHTTP_VALID_RETURN_RC(pThis, 0); + return pThis->cMaxRedirects; } @@ -2615,5 +2628,4 @@ RT_NOREF_PV(fFlags); - /* * Add the user store, quitely ignoring any errors. @@ -2671,4 +2683,30 @@ } return rc; +} + + +RTR3DECL(bool) RTHttpGetVerifyPeer(RTHTTP hHttp) +{ + PRTHTTPINTERNAL pThis = hHttp; + RTHTTP_VALID_RETURN_RC(pThis, false); + return pThis->fVerifyPeer; +} + + +RTR3DECL(int) RTHttpSetVerifyPeer(RTHTTP hHttp, bool fVerify) +{ + PRTHTTPINTERNAL pThis = hHttp; + RTHTTP_VALID_RETURN(pThis); + AssertReturn(!pThis->fBusy, VERR_WRONG_ORDER); + + if (pThis->fVerifyPeer != fVerify) + { + int rcCurl = curl_easy_setopt(pThis->pCurl, CURLOPT_SSL_VERIFYPEER, (long)fVerify); + AssertMsgReturn(rcCurl == CURLE_OK, ("CURLOPT_SSL_VERIFYPEER=%RTbool: %d (%#x)\n", fVerify, rcCurl, rcCurl), + VERR_HTTP_CURL_ERROR); + pThis->fVerifyPeer = fVerify; + } + + return VINF_SUCCESS; }