From 9f3a8e7f1bf0679e8fd0731567991f9fd6bfb6c0 Mon Sep 17 00:00:00 2001 From: Ztec Date: Thu, 13 Jun 2024 13:09:47 +0200 Subject: [PATCH] Request builder: Allow the use of insecure TLS ciphers when `Allow self-signed or invalid certificates` is used Some server on the wild are badly configured. Either by mistake or lack of maintenance. Safe and unsafe Ciphers change overtime based on new discoveries. This proposition will include considered unsafe ciphers when `Allow self-signed or invalid certificates` is used. It could be put into a separate option but, I felt this could fit in. fix #2671 --- internal/reader/fetcher/request_builder.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/internal/reader/fetcher/request_builder.go b/internal/reader/fetcher/request_builder.go index 77c18948..5ed10a51 100644 --- a/internal/reader/fetcher/request_builder.go +++ b/internal/reader/fetcher/request_builder.go @@ -109,6 +109,16 @@ func (r *RequestBuilder) IgnoreTLSErrors(value bool) *RequestBuilder { } func (r *RequestBuilder) ExecuteRequest(requestURL string) (*http.Response, error) { + // We get the safe ciphers + ciphers := tls.CipherSuites() + if r.ignoreTLSErrors { + // and the insecure ones if we are ignoring TLS errors. This allows to connect to badly configured servers anyway + ciphers = append(ciphers, tls.InsecureCipherSuites()...) + } + cipherSuites := []uint16{} + for _, cipher := range ciphers { + cipherSuites = append(cipherSuites, cipher.ID) + } transport := &http.Transport{ Proxy: http.ProxyFromEnvironment, // Setting `DialContext` disables HTTP/2, this option forces the transport to try HTTP/2 regardless. @@ -128,6 +138,7 @@ func (r *RequestBuilder) ExecuteRequest(requestURL string) (*http.Response, erro IdleConnTimeout: 10 * time.Second, TLSClientConfig: &tls.Config{ + CipherSuites: cipherSuites, InsecureSkipVerify: r.ignoreTLSErrors, }, }