Mercurial > hg > orthanc

comparison Core/HttpClient.cpp @ 1534:95b3b0260240

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Options to validate peers against CA certificates in HTTPS requests
author Sebastien Jodogne <s.jodogne@gmail.com>
date Thu, 13 Aug 2015 12:42:32 +0200
parents 0011cc99443c
children ba0226474e22
comparison
equal deleted inserted replaced
1533:0011cc99443c 1534:95b3b0260240
40 #include <string.h> 40 #include <string.h>
41 #include <curl/curl.h> 41 #include <curl/curl.h>
42 #include <boost/algorithm/string/predicate.hpp> 42 #include <boost/algorithm/string/predicate.hpp>
43 43
44 44
45 static std::string cacert_; 45 static std::string globalCACertificates_;
46 static bool httpsVerifyPeers_ = true; 46 static bool globalVerifyPeers_ = true;
47 47
48 extern "C" 48 extern "C"
49 { 49 {
50 static CURLcode GetHttpStatus(CURLcode code, CURL* curl, long* status) 50 static CURLcode GetHttpStatus(CURLcode code, CURL* curl, long* status)
51 { 51 {
129 129
130 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_WRITEFUNCTION, &CurlCallback)); 130 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_WRITEFUNCTION, &CurlCallback));
131 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_HEADER, 0)); 131 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_HEADER, 0));
132 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_FOLLOWLOCATION, 1)); 132 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_FOLLOWLOCATION, 1));
133 133
134 #if ORTHANC_SSL_ENABLED == 1
135 if (httpsVerifyPeers_)
136 {
137 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_CAINFO, cacert_.c_str()));
138 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_VERIFYPEER, 1));
139 }
140 else
141 {
142 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_VERIFYPEER, 0));
143 }
144 #endif
145
146 // This fixes the "longjmp causes uninitialized stack frame" crash 134 // This fixes the "longjmp causes uninitialized stack frame" crash
147 // that happens on modern Linux versions. 135 // that happens on modern Linux versions.
148 // http://stackoverflow.com/questions/9191668/error-longjmp-causes-uninitialized-stack-frame 136 // http://stackoverflow.com/questions/9191668/error-longjmp-causes-uninitialized-stack-frame
149 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_NOSIGNAL, 1)); 137 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_NOSIGNAL, 1));
150 138
151 url_ = ""; 139 url_ = "";
152 method_ = HttpMethod_Get; 140 method_ = HttpMethod_Get;
153 lastStatus_ = HttpStatus_200_Ok; 141 lastStatus_ = HttpStatus_200_Ok;
154 isVerbose_ = false; 142 isVerbose_ = false;
155 timeout_ = 0; 143 timeout_ = 0;
144 verifyPeers_ = globalVerifyPeers_;
156 } 145 }
157 146
158 147
159 HttpClient::HttpClient() : pimpl_(new PImpl) 148 HttpClient::HttpClient() : pimpl_(new PImpl)
160 { 149 {
203 bool HttpClient::Apply(std::string& answer) 192 bool HttpClient::Apply(std::string& answer)
204 { 193 {
205 answer.clear(); 194 answer.clear();
206 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_URL, url_.c_str())); 195 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_URL, url_.c_str()));
207 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_WRITEDATA, &answer)); 196 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_WRITEDATA, &answer));
197
198 // Setup HTTPS-related options
199 #if ORTHANC_SSL_ENABLED == 1
200 if (IsHttpsVerifyPeers())
201 {
202 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_CAINFO, GetHttpsCACertificates().c_str()));
203 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_VERIFYPEER, 1));
204 }
205 else
206 {
207 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_VERIFYPEER, 0));
208 }
209 #endif
208 210
209 // Reset the parameters from previous calls to Apply() 211 // Reset the parameters from previous calls to Apply()
210 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_HTTPHEADER, NULL)); 212 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_HTTPHEADER, NULL));
211 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_HTTPGET, 0L)); 213 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_HTTPGET, 0L));
212 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_POST, 0L)); 214 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_POST, 0L));
334 { 336 {
335 credentials_ = std::string(username) + ":" + std::string(password); 337 credentials_ = std::string(username) + ":" + std::string(password);
336 } 338 }
337 339
338 340
341 const std::string& HttpClient::GetHttpsCACertificates() const
342 {
343 if (caCertificates_.empty())
344 {
345 return globalCACertificates_;
346 }
347 else
348 {
349 return caCertificates_;
350 }
351 }
352
353
339 void HttpClient::GlobalInitialize(bool httpsVerifyPeers, 354 void HttpClient::GlobalInitialize(bool httpsVerifyPeers,
340 const std::string& httpsVerifyCertificates) 355 const std::string& httpsVerifyCertificates)
341 { 356 {
357 globalVerifyPeers_ = httpsVerifyPeers;
358 globalCACertificates_ = httpsVerifyCertificates;
359
342 #if ORTHANC_SSL_ENABLED == 1 360 #if ORTHANC_SSL_ENABLED == 1
343 httpsVerifyPeers_ = httpsVerifyPeers;
344 cacert_ = httpsVerifyCertificates;
345
346 // TODO
347 /*if (cacert_.empty())
348 {
349 cacert_ = "/etc/ssl/certs/ca-certificates.crt";
350 }*/
351
352 if (httpsVerifyPeers) 361 if (httpsVerifyPeers)
353 { 362 {
354 if (cacert_.empty()) 363 if (globalCACertificates_.empty())
355 { 364 {
356 LOG(WARNING) << "No certificates are provided to validate peers, " 365 LOG(WARNING) << "No certificates are provided to validate peers, "
357 << "set \"HttpsCertificatesFile\" if you need to do HTTPS requests"; 366 << "set \"HttpsCACertificates\" if you need to do HTTPS requests";
358 } 367 }
359 else 368 else
360 { 369 {
361 LOG(WARNING) << "HTTPS will use the certificates from this file: " << cacert_; 370 LOG(WARNING) << "HTTPS will use the CA certificates from this file: " << globalCACertificates_;
362 } 371 }
363 } 372 }
364 else 373 else
365 { 374 {
366 LOG(WARNING) << "The verification of the peers in HTTPS requests is disabled!"; 375 LOG(WARNING) << "The verification of the peers in HTTPS requests is disabled!";