Feat: Add verify_ssl field to gix-transport Options which is used to …

…disable SSL verification. Currently this option only works in the curl backend.
Byron · Nov 29, 2023 · 369c565 · 369c565
1 parent 5d8b5f4
commit 369c565
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/gix-transport/src/client/blocking_io/http/curl/remote.rs b/gix-transport/src/client/blocking_io/http/curl/remote.rs
@@ -157,6 +157,7 @@ pub fn new() -> (
                     verbose,
                     ssl_ca_info,
                     ssl_version,
+                    ssl_verify,
                     http_version,
                     backend,
                 },
@@ -194,6 +195,8 @@ pub fn new() -> (
                 }
             }
 
+            handle.ssl_verify_peer(ssl_verify)?;
+
             if let Some(http_version) = http_version {
                 let version = match http_version {
                     HttpVersion::V1_1 => curl::easy::HttpVersion::V11,

diff --git a/gix-transport/src/client/blocking_io/http/mod.rs b/gix-transport/src/client/blocking_io/http/mod.rs
@@ -179,6 +179,10 @@ pub struct Options {
     pub ssl_ca_info: Option<PathBuf>,
     /// The SSL version or version range to use, or `None` to let the TLS backend determine which versions are acceptable.
     pub ssl_version: Option<SslVersionRangeInclusive>,
+    /// Controls whether to perform SSL identity verification or not. Turning this off is not recommended and can lead to
+    /// various security risks. An example where this may be needed is when an internal git server uses a self-signed
+    /// certificate and the user accepts the associated security risks.
+    pub ssl_verify: bool,
     /// The HTTP version to enforce. If unset, it is implementation defined.
     pub http_version: Option<HttpVersion>,
     /// Backend specific options, if available.