From 8fd9cbf91bb7190450531b25a3806c5b7f69744e Mon Sep 17 00:00:00 2001

From: Vratislav Podzimek <vpodzime@redhat.com>

Date: Tue, 17 May 2016 12:13:40 +0200

Subject: [PATCH 03/13] Do not verify SSL if inst.noverifyssl was given

inst.noverifyssl is a boot/cmdline option which should take precedence over

everything specified in the kickstart or UI.

Resolves: rhbz#1263257

---

 org_fedora_oscap/data_fetch.py | 13 +++++++++++++

 1 file changed, 13 insertions(+)

diff --git a/org_fedora_oscap/data_fetch.py b/org_fedora_oscap/data_fetch.py

index 21edd0f..7336025 100644

--- a/org_fedora_oscap/data_fetch.py

+++ b/org_fedora_oscap/data_fetch.py

@@ -9,8 +9,14 @@ import os

 import os.path

 import pycurl

+from pyanaconda.flags import flags as ana_flags

+

 from org_fedora_oscap import utils

+import logging

+log = logging.getLogger("anaconda")

+

+

 # everything else should be private

 __all__ = ["fetch_data", "can_fetch_from"]

@@ -150,8 +156,15 @@ def _fetch_http_ftp_data(url, out_file, ca_certs=None):

     if ca_certs and protocol == "https":

         # the strictest verification

         curl.setopt(pycurl.SSL_VERIFYHOST, 2)

+        curl.setopt(pycurl.SSL_VERIFYPEER, 1)

         curl.setopt(pycurl.CAINFO, ca_certs)

+    # may be turned off by flags (specified on command line, take precedence)

+    if ana_flags.noverifyssl:

+        log.warning("Disabling SSL verification due to the noverifyssl flag")

+        curl.setopt(pycurl.SSL_VERIFYHOST, 0)

+        curl.setopt(pycurl.SSL_VERIFYPEER, 0)

+

     try:

         with open(out_file, "w") as fobj:

             curl.setopt(pycurl.WRITEDATA, fobj)

-- 

2.5.5