Mercurial > hg > orthanc

diff Core/HttpClient.cpp @ 1534:95b3b0260240

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Options to validate peers against CA certificates in HTTPS requests
author Sebastien Jodogne <s.jodogne@gmail.com>
date Thu, 13 Aug 2015 12:42:32 +0200
parents 0011cc99443c
children ba0226474e22
line wrap: on
line diff
--- a/Core/HttpClient.cpp	Wed Aug 12 17:52:10 2015 +0200
+++ b/Core/HttpClient.cpp	Thu Aug 13 12:42:32 2015 +0200
@@ -42,8 +42,8 @@
 #include <boost/algorithm/string/predicate.hpp>
 
 
-static std::string cacert_;
-static bool httpsVerifyPeers_ = true;
+static std::string globalCACertificates_;
+static bool globalVerifyPeers_ = true;
 
 extern "C"
 {
@@ -131,18 +131,6 @@
     CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_HEADER, 0));
     CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_FOLLOWLOCATION, 1));
 
-#if ORTHANC_SSL_ENABLED == 1
-    if (httpsVerifyPeers_)
-    {
-      CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_CAINFO, cacert_.c_str())); 
-      CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_VERIFYPEER, 1)); 
-    }
-    else
-    {
-      CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_VERIFYPEER, 0)); 
-    }
-#endif
-
     // This fixes the "longjmp causes uninitialized stack frame" crash
     // that happens on modern Linux versions.
     // http://stackoverflow.com/questions/9191668/error-longjmp-causes-uninitialized-stack-frame
@@ -153,6 +141,7 @@
     lastStatus_ = HttpStatus_200_Ok;
     isVerbose_ = false;
     timeout_ = 0;
+    verifyPeers_ = globalVerifyPeers_;
   }
 
 
@@ -206,6 +195,19 @@
     CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_URL, url_.c_str()));
     CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_WRITEDATA, &answer));
 
+    // Setup HTTPS-related options
+#if ORTHANC_SSL_ENABLED == 1
+    if (IsHttpsVerifyPeers())
+    {
+      CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_CAINFO, GetHttpsCACertificates().c_str()));
+      CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_VERIFYPEER, 1)); 
+    }
+    else
+    {
+      CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_VERIFYPEER, 0)); 
+    }
+#endif
+
     // Reset the parameters from previous calls to Apply()
     CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_HTTPHEADER, NULL));
     CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_HTTPGET, 0L));
@@ -336,29 +338,36 @@
   }
 
   
+  const std::string& HttpClient::GetHttpsCACertificates() const
+  {
+    if (caCertificates_.empty())
+    {
+      return globalCACertificates_;
+    }
+    else
+    {
+      return caCertificates_;
+    }
+  }
+
+
   void HttpClient::GlobalInitialize(bool httpsVerifyPeers,
                                     const std::string& httpsVerifyCertificates)
   {
-#if ORTHANC_SSL_ENABLED == 1
-    httpsVerifyPeers_ = httpsVerifyPeers;
-    cacert_ = httpsVerifyCertificates;
+    globalVerifyPeers_ = httpsVerifyPeers;
+    globalCACertificates_ = httpsVerifyCertificates;
 
-    // TODO 
-    /*if (cacert_.empty())
-    {
-      cacert_ = "/etc/ssl/certs/ca-certificates.crt";
-      }*/
-
+#if ORTHANC_SSL_ENABLED == 1
     if (httpsVerifyPeers)
     {
-      if (cacert_.empty())
+      if (globalCACertificates_.empty())
       {
         LOG(WARNING) << "No certificates are provided to validate peers, "
-                     << "set \"HttpsCertificatesFile\" if you need to do HTTPS requests";
+                     << "set \"HttpsCACertificates\" if you need to do HTTPS requests";
       }
       else
       {
-        LOG(WARNING) << "HTTPS will use the certificates from this file: " << cacert_;
+        LOG(WARNING) << "HTTPS will use the CA certificates from this file: " << globalCACertificates_;
       }
     }
     else