Allow disabling SSL strict mode for broken corporate proxies

data/bash-completion/fwupdmgr.in

@@ -45,6 +45,7 @@ _fwupdmgr_opts=(
 	'--sign'
 	'--filter'
 	'--log'
+	'--disable-ssl-strict'
 )
 
 _show_filters()

data/bash-completion/fwupdtool.in

@@ -34,6 +34,7 @@ _fwupdtool_opts=(
 	'--prepare'
 	'--cleanup'
 	'--filter'
+	'--disable-ssl-strict'
 )
 
 _show_filters()

src/fu-tool.c

@@ -54,6 +54,7 @@ struct FuUtilPrivate {
 	gboolean		 enable_json_state;
 	FwupdInstallFlags	 flags;
 	gboolean		 show_all_devices;
+	gboolean		 disable_ssl_strict;
 	/* only valid in update and downgrade */
 	FuUtilOperation		 current_operation;
 	FwupdDevice		*current_device;
@@ -1418,6 +1419,9 @@ main (int argc, char *argv[])
 		{ "enable-json-state", '\0', 0, G_OPTION_ARG_NONE, &priv->enable_json_state,
 			/* TRANSLATORS: command line option */
 			_("Save device state into a JSON file between executions"), NULL },
+		{ "disable-ssl-strict", '\0', 0, G_OPTION_ARG_NONE, &priv->disable_ssl_strict,
+			/* TRANSLATORS: command line option */
+			_("Ignore SSL strict checks when downloading files"), NULL },
 		{ "filter", '\0', 0, G_OPTION_ARG_STRING, &filter,
 			/* TRANSLATORS: command line option */
 			_("Filter with a set of device flags using a ~ prefix to "
@@ -1594,6 +1598,15 @@ main (int argc, char *argv[])
 		return EXIT_FAILURE;
 	}
 
+	/* allow disabling SSL strict mode for broken corporate proxies */
+	if (priv->disable_ssl_strict) {
+		/* TRANSLATORS: try to help */
+		g_printerr ("%s\n", _("WARNING: Ignoring SSL strict checks, "
+				      "to do this automatically in the future "
+				      "export DISABLE_SSL_STRICT in your environment"));
+		g_setenv ("DISABLE_SSL_STRICT", "1", TRUE);
+	}
+
 	/* parse filter flags */
 	if (filter != NULL) {
 		if (!fu_util_parse_filter_flags (filter,

src/fu-util-common.c

@@ -542,6 +542,10 @@ fu_util_setup_networking (GError **error)
 		return NULL;
 	}
 
+	/* relax the SSL checks for broken corporate proxies */
+	if (g_getenv ("DISABLE_SSL_STRICT") != NULL)
+		g_object_set (session, SOUP_SESSION_SSL_STRICT, FALSE, NULL);
+
 	/* set the proxy */
 	http_proxy = g_getenv ("https_proxy");
 	if (http_proxy == NULL)

src/fu-util.c

@@ -57,6 +57,7 @@ struct FuUtilPrivate {
 	gboolean		 assume_yes;
 	gboolean		 sign;
 	gboolean		 show_all_devices;
+	gboolean		 disable_ssl_strict;
 	/* only valid in update and downgrade */
 	FuUtilOperation		 current_operation;
 	FwupdDevice		*current_device;
@@ -2061,6 +2062,9 @@ main (int argc, char *argv[])
 		{ "show-all-devices", '\0', 0, G_OPTION_ARG_NONE, &priv->show_all_devices,
 			/* TRANSLATORS: command line option */
 			_("Show devices that are not updatable"), NULL },
+		{ "disable-ssl-strict", '\0', 0, G_OPTION_ARG_NONE, &priv->disable_ssl_strict,
+			/* TRANSLATORS: command line option */
+			_("Ignore SSL strict checks when downloading files"), NULL },
 		{ "filter", '\0', 0, G_OPTION_ARG_STRING, &filter,
 			/* TRANSLATORS: command line option */
 			_("Filter with a set of device flags using a ~ prefix to "
@@ -2262,6 +2266,15 @@ main (int argc, char *argv[])
 		return EXIT_FAILURE;
 	}
 
+	/* allow disabling SSL strict mode for broken corporate proxies */
+	if (priv->disable_ssl_strict) {
+		/* TRANSLATORS: try to help */
+		g_printerr ("%s\n", _("WARNING: Ignoring SSL strict checks, "
+				      "to do this automatically in the future "
+				      "export DISABLE_SSL_STRICT in your environment"));
+		g_setenv ("DISABLE_SSL_STRICT", "1", TRUE);
+	}
+
 	/* non-TTY consoles cannot answer questions */
 	if (log != NULL ||
 	    isatty (fileno (stdout)) == 0) {