Index | Thread | Search

From:
Florian Obser <florian@openbsd.org>
Subject:
acme-client(1): insecure API urls
To:
tech <tech@openbsd.org>
Date:
Sun, 08 Jun 2025 15:09:31 +0200

Download raw body.

Thread 
Add insecure API endpoints for regress test with "pebble".
This is intentionally undocumented.

With this I can talk to pebble and get a cert, unless it refuses our
nonce, which it does 5% of the time in the default config.

OK?

diff --git http.c http.c
index c996a1d519f..8f6c714ed81 100644
--- http.c
+++ http.c
@@ -95,7 +95,7 @@ dotlswrite(const void *buf, size_t sz, const struct http *http)
 }
 
 int
-http_init(void)
+http_init(int insecure)
 {
 	if (tlscfg != NULL)
 		return 0;
@@ -110,6 +110,10 @@ http_init(void)
 		warn("tls_config_set_ca_file: %s", tls_config_error(tlscfg));
 		goto err;
 	}
+	if (insecure) {
+		tls_config_insecure_noverifycert(tlscfg);
+		tls_config_insecure_noverifyname(tlscfg);
+	}
 
 	return 0;
 
diff --git http.h http.h
index decff70367b..299171bef8f 100644
--- http.h
+++ http.h
@@ -52,7 +52,7 @@ struct	httpget {
 	size_t		 bodypartsz; /* size of bodypart */
 };
 
-int		 http_init(void);
+int		 http_init(int);
 
 /* Convenience functions. */
 struct httpget	*http_get(const struct source *, size_t,
diff --git netproc.c netproc.c
index 3517868564e..eff305d69d3 100644
--- netproc.c
+++ netproc.c
@@ -711,7 +711,7 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd,
 		goto out;
 	}
 
-	if (http_init() == -1) {
+	if (http_init(authority->insecure) == -1) {
 		warn("http_init");
 		goto out;
 	}
diff --git parse.h parse.h
index 3954f62a0d0..137c63e3721 100644
--- parse.h
+++ parse.h
@@ -36,6 +36,7 @@ struct authority_c {
 	TAILQ_ENTRY(authority_c)	 entry;
 	char				*name;
 	char				*api;
+	int				 insecure;
 	char				*account;
 	enum keytype			 keytype;
 	char				*contact;
diff --git parse.y parse.y
index 2b0d55f20b1..e30f9121ef3 100644
--- parse.y
+++ parse.y
@@ -106,6 +106,7 @@ typedef struct {
 %token	INCLUDE
 %token	ERROR
 %token	RSA ECDSA
+%token	INSECURE
 %token	<v.string>	STRING
 %token	<v.number>	NUMBER
 %type	<v.string>	string
@@ -240,6 +241,9 @@ authorityoptsl	: API URL STRING {
 				err(EXIT_FAILURE, "strdup");
 			auth->contact = s;
 		}
+		| INSECURE {
+			auth->insecure = 1;
+		}
 		;
 
 domain		: DOMAIN STRING {
@@ -467,6 +471,7 @@ lookup(char *s)
 		{"ecdsa",		ECDSA},
 		{"full",		FULL},
 		{"include",		INCLUDE},
+		{"insecure",		INSECURE},
 		{"key",			KEY},
 		{"name",		NAME},
 		{"names",		NAMES},
@@ -1054,6 +1059,8 @@ print_config(struct acme_conf *xconf)
 		if (a->account != NULL)
 			printf("\taccount key \"%s\" %s\n", a->account,
 			    kt2txt(a->keytype));
+		if (a->insecure)
+			printf("\tinsecure\n");
 		printf("}\n\n");
 	}
 	TAILQ_FOREACH(d, &xconf->domain_list, entry) {

-- 
In my defence, I have been left unsupervised.