From 10d48f1bad15b74de952aa8ce51d04ad60861c64 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Fri, 7 Jul 2017 20:16:00 +0200
Subject: net.http: Remove duplicate 'request' entry

---
 net/http.lua | 1 -
 1 file changed, 1 deletion(-)

(limited to 'net/http.lua')

diff --git a/net/http.lua b/net/http.lua
index d820e471..cce363ae 100644
--- a/net/http.lua
+++ b/net/http.lua
@@ -235,7 +235,6 @@ local function new(options)
 			return new(setmetatable(new_options, { __index = options }));
 		end or new;
 		events = events.new();
-		request = request;
 	};
 	return http;
 end
-- 
cgit v1.2.3


From 450544aad0a236e7ebcf3307e8fe8dbda683d775 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Fri, 7 Jul 2017 20:30:52 +0200
Subject: net.http: Expose defaults

---
 net/http.lua | 1 +
 1 file changed, 1 insertion(+)

(limited to 'net/http.lua')

diff --git a/net/http.lua b/net/http.lua
index cce363ae..0d14e526 100644
--- a/net/http.lua
+++ b/net/http.lua
@@ -245,6 +245,7 @@ return {
 	request = function (u, ex, callback)
 		return default_http:request(u, ex, callback);
 	end;
+	default = default_http;
 	new = new;
 	events = default_http.events;
 	-- COMPAT
-- 
cgit v1.2.3


From 708ce26bc81ce86b5f0a23f4beb3119210ab6d8f Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Fri, 7 Jul 2017 20:31:52 +0200
Subject: net.http: Move default SSL/TLS settings into options, allowing them
 to be overriden in new()

---
 net/http.lua | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'net/http.lua')

diff --git a/net/http.lua b/net/http.lua
index 0d14e526..756deaf4 100644
--- a/net/http.lua
+++ b/net/http.lua
@@ -196,7 +196,7 @@ local function request(self, u, ex, callback)
 
 	local sslctx = false;
 	if using_https then
-		sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } };
+		sslctx = ex and ex.sslctx or self.options and self.options.sslctx;
 	end
 
 	local handler, conn = server.addclient(host, port_number, listener, "*a", sslctx)
@@ -239,7 +239,9 @@ local function new(options)
 	return http;
 end
 
-local default_http = new();
+local default_http = new({
+	sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } };
+});
 
 return {
 	request = function (u, ex, callback)
-- 
cgit v1.2.3


From e605ac0987662ef14c3f0b642079a815961102e1 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Fri, 7 Jul 2017 21:04:30 +0200
Subject: net.http: Validate HTTPS certificates (fixes #659)

---
 net/http.lua | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'net/http.lua')

diff --git a/net/http.lua b/net/http.lua
index 756deaf4..eba050cd 100644
--- a/net/http.lua
+++ b/net/http.lua
@@ -11,6 +11,7 @@ local url = require "socket.url"
 local httpstream_new = require "net.http.parser".new;
 local util_http = require "util.http";
 local events = require "util.events";
+local verify_identity = require"util.x509".verify_identity;
 
 local ssl_available = pcall(require, "ssl");
 
@@ -34,6 +35,26 @@ local listener = { default_port = 80, default_mode = "*a" };
 
 function listener.onconnect(conn)
 	local req = requests[conn];
+
+	-- Validate certificate
+	if conn:ssl() then
+		local sock = conn:socket();
+		local chain_valid = sock.getpeerverification and sock:getpeerverification();
+		if not chain_valid then
+			req.callback("certificate-chain-invalid", 0, req);
+			req.callback = nil;
+			conn:close();
+			return;
+		end
+		local cert = sock.getpeercertificate and sock:getpeercertificate();
+		if not cert or not verify_identity(req.host, false, cert) then
+			req.callback("certificate-verify-failed", 0, req);
+			req.callback = nil;
+			conn:close();
+			return;
+		end
+	end
+
 	-- Send the request
 	local request_line = { req.method or "GET", " ", req.path, " HTTP/1.1\r\n" };
 	if req.query then
-- 
cgit v1.2.3


From 7e28119b3d3fe91b2f8541da2af90b232ab38412 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Fri, 7 Jul 2017 21:04:46 +0200
Subject: net.http: Add option for disabling TLS certifictate validation

---
 net/http.lua | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'net/http.lua')

diff --git a/net/http.lua b/net/http.lua
index eba050cd..8364a104 100644
--- a/net/http.lua
+++ b/net/http.lua
@@ -37,7 +37,7 @@ function listener.onconnect(conn)
 	local req = requests[conn];
 
 	-- Validate certificate
-	if conn:ssl() then
+	if not req.insecure and conn:ssl() then
 		local sock = conn:socket();
 		local chain_valid = sock.getpeerverification and sock:getpeerverification();
 		if not chain_valid then
@@ -202,6 +202,7 @@ local function request(self, u, ex, callback)
 				headers[k] = v;
 			end
 		end
+		req.insecure = ex.insecure;
 	end
 
 	log("debug", "Making %s %s request '%s' to %s", req.scheme:upper(), method or "GET", req.id, (ex and ex.suppress_url and host_header) or u);
-- 
cgit v1.2.3