Request builder: Allow the use of insecure TLS ciphers when `Allow self-signed or invalid certificates` is used

Some server on the wild are badly configured. Either by mistake or lack of maintenance. Safe and unsafe Ciphers change overtime based on new discoveries. This proposition will include considered unsafe ciphers when `Allow self-signed or invalid certificates` is used. It could be put into a separate option but, I felt this could fit in. fix #2671
2024-06-13 13:09:47 +02:00 · 2024-06-13 13:09:47 +02:00 · 9f3a8e7f1b
parent e54825bf02
commit 9f3a8e7f1b
1 changed files with 11 additions and 0 deletions
--- a/internal/reader/fetcher/request_builder.go
+++ b/internal/reader/fetcher/request_builder.go
@ -109,6 +109,16 @@ func (r *RequestBuilder) IgnoreTLSErrors(value bool) *RequestBuilder {
 }

 func (r *RequestBuilder) ExecuteRequest(requestURL string) (*http.Response, error) {
+	// We get the safe ciphers
+	ciphers := tls.CipherSuites()
+	if r.ignoreTLSErrors {
+		// and the insecure ones if we are ignoring TLS errors. This allows to connect to badly configured servers anyway
+		ciphers = append(ciphers, tls.InsecureCipherSuites()...)
+	}
+	cipherSuites := []uint16{}
+	for _, cipher := range ciphers {
+		cipherSuites = append(cipherSuites, cipher.ID)
+	}
 	transport := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		// Setting `DialContext` disables HTTP/2, this option forces the transport to try HTTP/2 regardless.
@ -128,6 +138,7 @@ func (r *RequestBuilder) ExecuteRequest(requestURL string) (*http.Response, erro
 		IdleConnTimeout: 10 * time.Second,

 		TLSClientConfig: &tls.Config{
+			CipherSuites:       cipherSuites,
 			InsecureSkipVerify: r.ignoreTLSErrors,
 		},
 	}