(proxy, remote acl's) add option to disable cert validation, closes...

(proxy, remote acl's) add option to disable cert validation, closes https://github.com/opnsense/core/issues/1271 (cherry picked from commit 1b442b8e)

(proxy, remote acl's) add option to disable cert validation, closes...
(proxy, remote acl's) add option to disable cert validation, closes https://github.com/opnsense/core/issues/1271 (cherry picked from commit 1b442b8e)
867e87b1 · Ad Schellevis · Franco Fichtner · 10cabd37 · 867e87b1 · 867e87b1
Commit 867e87b1 authored Nov 27, 2016 by Ad Schellevis Committed by Franco Fichtner Nov 30, 2016
4 changed files
--- a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditBlacklist.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditBlacklist.xml
@@ -38,6 +38,12 @@
        <nbDropdownElements>300</nbDropdownElements>
        <help><![CDATA[select categories to use, leave empty for all. Categories are visible after initial download.]]></help>
    </field>
+    <field>
+        <id>blacklist.sslNoVerify</id>
+        <label>ssl ignore cert</label>
+        <type>checkbox</type>
+        <help>Ignore SSL certificate validation (for self-signed certificates)</help>
+    </field>
    <field>
        <id>blacklist.description</id>
        <label>Description</label>

--- a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -330,6 +330,10 @@
                                <SelectAll>Y</SelectAll>
                                <Multiple>Y</Multiple>
                            </filter>
+                            <sslNoVerify type="BooleanField">
+                                <default>0</default>
+                                <Required>Y</Required>
+                            </sslNoVerify>
                            <description type="TextField">
                                <Required>Y</Required>
                                <mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>

--- a/src/opnsense/scripts/proxy/fetchACLs.py
+++ b/src/opnsense/scripts/proxy/fetchACLs.py
@@ -50,7 +50,7 @@ class Downloader(object):
    """ Download helper
    """

-    def __init__(self, url,username, password, timeout):
+    def __init__(self, url,username, password, timeout, ssl_no_verify=False):
        """ init new
            :param url: source url
            :param timeout: timeout in seconds
@@ -60,6 +60,7 @@ class Downloader(object):
        self._source_handle = None
        self._username = username
        self._password = password
+        self._ssl_no_verify = ssl_no_verify

    def fetch(self):
        """ fetch (raw) source data into tempfile using self._source_handle
@@ -67,11 +68,16 @@ class Downloader(object):
        self._source_handle = None
        if self._url.lower().startswith('http://') or self._url.lower().startswith('https://'):
            # HTTP(S) download
+            req_opts = dict()
+            req_opts['url'] = self._url
+            req_opts['stream'] = True
+            req_opts['timeout'] = self._timeout
+            if self._ssl_no_verify:
+                req_opts['verify'] = False
            if self._username is not None:
-                req = requests.get(url=self._url, stream=True, timeout=self._timeout,
-                                   auth=(self._username, self._password))
-            else:
-                req = requests.get(url=self._url, stream=True, timeout=self._timeout)
+                req_opts['auth'] = (self._username, self._password)
+
+            req = requests.get(**req_opts)
            if req.status_code == 200:
                self._source_handle = tempfile.NamedTemporaryFile()
                shutil.copyfileobj(req.raw, self._source_handle)
@@ -301,7 +307,11 @@ def main():
                    else:
                        download_username = None
                        download_password = None
-                    acl = Downloader(download_url, download_username, download_password, acl_max_timeout)
+                    if cnf.has_option(section, 'sslNoVerify') and cnf.get(section, 'sslNoVerify') == '1':
+                        sslNoVerify = True
+                    else:
+                        sslNoVerify = False
+                    acl = Downloader(download_url, download_username, download_password, acl_max_timeout, sslNoVerify)
                    all_filenames = list()
                    for filename, basefilename, file_ext, line in acl.download():
                        if filename_in_ignorelist(basefilename, file_ext):

--- a/src/opnsense/service/templates/OPNsense/Proxy/externalACLs.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/externalACLs.conf
@@ -11,5 +11,6 @@ filter:{{blacklist.filter|default('')}}
 username={{blacklist.username}}
 password={{blacklist.password|default('')}}
 {% endif %}
+sslNoVerify={{blacklist.sslNoVerify|default('0')}}
 {%   endfor %}
 {% endif %}