Pre-allow self signed server certificates in secure connections

By setting PCP_SERVER_SELF_CERT, a client can instruct libpcp to accept a self signed server certificate on its behalf.
ubccr · e440d98b12930e3638c22b0fe80b7667ed3a04d9 · Cloud User committed Apr 14, 2016 · Apr 14, 2016 · e440d98
1 parent b23487a
commit e440d98b12930e3638c22b0fe80b7667ed3a04d9
Unified Split

Showing with 4 additions and 1 deletion.

+4 −1 src/libpcp/src/secureconnect.c
diff --git a/src/libpcp/src/secureconnect.c b/src/libpcp/src/secureconnect.c
@@ -391,6 +391,9 @@ queryCertificateAuthority(PRFileDesc *sslsocket)
     int secsts = SECFailure;
     char *result;
     CERTCertificate *servercert;
+    int AllowSelfSignedCerts;
+
+    AllowSelfSignedCerts = (getenv("PCP_ALLOW_SERVER_SELF_CERT") != NULL );
 
     result = SSL_RevealURL(sslsocket);
     pmprintf("WARNING: "
@@ -401,7 +404,7 @@ queryCertificateAuthority(PRFileDesc *sslsocket)
     servercert = SSL_PeerCertificate(sslsocket);
     if (servercert) {
 	reportFingerprint(&servercert->derCert);
-	sts = queryCertificateOK("Do you want to accept and save this certificate locally anyway");
+	sts = AllowSelfSignedCerts || queryCertificateOK("Do you want to accept and save this certificate locally anyway");
 	if (sts == 1) {
 	    saveUserCertificate(servercert);
 	    secsts = SECSuccess;