From 0e46b2272842ed056a8f5b75d1f88ca405b951f2 Mon Sep 17 00:00:00 2001 From: Richard Hughes Date: Thu, 5 Sep 2019 12:13:35 +0100 Subject: [PATCH] Allow disabling SSL strict mode for broken corporate proxies --- data/bash-completion/fwupdmgr.in | 1 + data/bash-completion/fwupdtool.in | 1 + src/fu-tool.c | 13 +++++++++++++ src/fu-util-common.c | 4 ++++ src/fu-util.c | 13 +++++++++++++ 5 files changed, 32 insertions(+) diff --git a/data/bash-completion/fwupdmgr.in b/data/bash-completion/fwupdmgr.in index 45590caab..b0b03de95 100644 --- a/data/bash-completion/fwupdmgr.in +++ b/data/bash-completion/fwupdmgr.in @@ -45,6 +45,7 @@ _fwupdmgr_opts=( '--sign' '--filter' '--log' + '--disable-ssl-strict' ) _show_filters() diff --git a/data/bash-completion/fwupdtool.in b/data/bash-completion/fwupdtool.in index 93deffa0c..c7c6d3c7f 100644 --- a/data/bash-completion/fwupdtool.in +++ b/data/bash-completion/fwupdtool.in @@ -34,6 +34,7 @@ _fwupdtool_opts=( '--prepare' '--cleanup' '--filter' + '--disable-ssl-strict' ) _show_filters() diff --git a/src/fu-tool.c b/src/fu-tool.c index f27808759..e4a670670 100644 --- a/src/fu-tool.c +++ b/src/fu-tool.c @@ -54,6 +54,7 @@ struct FuUtilPrivate { gboolean enable_json_state; FwupdInstallFlags flags; gboolean show_all_devices; + gboolean disable_ssl_strict; /* only valid in update and downgrade */ FuUtilOperation current_operation; FwupdDevice *current_device; @@ -1418,6 +1419,9 @@ main (int argc, char *argv[]) { "enable-json-state", '\0', 0, G_OPTION_ARG_NONE, &priv->enable_json_state, /* TRANSLATORS: command line option */ _("Save device state into a JSON file between executions"), NULL }, + { "disable-ssl-strict", '\0', 0, G_OPTION_ARG_NONE, &priv->disable_ssl_strict, + /* TRANSLATORS: command line option */ + _("Ignore SSL strict checks when downloading files"), NULL }, { "filter", '\0', 0, G_OPTION_ARG_STRING, &filter, /* TRANSLATORS: command line option */ _("Filter with a set of device flags using a ~ prefix to " @@ -1594,6 +1598,15 @@ main (int argc, char *argv[]) return EXIT_FAILURE; } + /* allow disabling SSL strict mode for broken corporate proxies */ + if (priv->disable_ssl_strict) { + /* TRANSLATORS: try to help */ + g_printerr ("%s\n", _("WARNING: Ignoring SSL strict checks, " + "to do this automatically in the future " + "export DISABLE_SSL_STRICT in your environment")); + g_setenv ("DISABLE_SSL_STRICT", "1", TRUE); + } + /* parse filter flags */ if (filter != NULL) { if (!fu_util_parse_filter_flags (filter, diff --git a/src/fu-util-common.c b/src/fu-util-common.c index 7349b5ef5..1daa18865 100644 --- a/src/fu-util-common.c +++ b/src/fu-util-common.c @@ -542,6 +542,10 @@ fu_util_setup_networking (GError **error) return NULL; } + /* relax the SSL checks for broken corporate proxies */ + if (g_getenv ("DISABLE_SSL_STRICT") != NULL) + g_object_set (session, SOUP_SESSION_SSL_STRICT, FALSE, NULL); + /* set the proxy */ http_proxy = g_getenv ("https_proxy"); if (http_proxy == NULL) diff --git a/src/fu-util.c b/src/fu-util.c index 7abef11ce..fd4bc052a 100644 --- a/src/fu-util.c +++ b/src/fu-util.c @@ -57,6 +57,7 @@ struct FuUtilPrivate { gboolean assume_yes; gboolean sign; gboolean show_all_devices; + gboolean disable_ssl_strict; /* only valid in update and downgrade */ FuUtilOperation current_operation; FwupdDevice *current_device; @@ -2061,6 +2062,9 @@ main (int argc, char *argv[]) { "show-all-devices", '\0', 0, G_OPTION_ARG_NONE, &priv->show_all_devices, /* TRANSLATORS: command line option */ _("Show devices that are not updatable"), NULL }, + { "disable-ssl-strict", '\0', 0, G_OPTION_ARG_NONE, &priv->disable_ssl_strict, + /* TRANSLATORS: command line option */ + _("Ignore SSL strict checks when downloading files"), NULL }, { "filter", '\0', 0, G_OPTION_ARG_STRING, &filter, /* TRANSLATORS: command line option */ _("Filter with a set of device flags using a ~ prefix to " @@ -2262,6 +2266,15 @@ main (int argc, char *argv[]) return EXIT_FAILURE; } + /* allow disabling SSL strict mode for broken corporate proxies */ + if (priv->disable_ssl_strict) { + /* TRANSLATORS: try to help */ + g_printerr ("%s\n", _("WARNING: Ignoring SSL strict checks, " + "to do this automatically in the future " + "export DISABLE_SSL_STRICT in your environment")); + g_setenv ("DISABLE_SSL_STRICT", "1", TRUE); + } + /* non-TTY consoles cannot answer questions */ if (log != NULL || isatty (fileno (stdout)) == 0) {