From 1de4462974113ac18cf98f903e97cd1127fa842f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 25 Apr 2018 12:37:34 +0200 Subject: dirmngr: Allow redirection from https to http for CRLs * dirmngr/ks-engine.h (KS_HTTP_FETCH_NOCACHE): New flag. (KS_HTTP_FETCH_TRUST_CFG): Ditto. (KS_HTTP_FETCH_NO_CRL): Ditto. (KS_HTTP_FETCH_ALLOW_DOWNGRADE): Ditto. * dirmngr/ks-engine-http.c (ks_http_fetch): Replace args send_no_cache and extra_http_trust_flags by a new flags arg. Allow redirectiong from https to http it KS_HTTP_FETCH_ALLOW_DOWNGRADE is set. * dirmngr/loadswdb.c (fetch_file): Call with KS_HTTP_FETCH_NOCACHE. * dirmngr/ks-action.c (ks_action_get): Ditto. (ks_action_fetch): Ditto. * dirmngr/crlfetch.c (crl_fetch): Call with the appropriate flags. -- Signed-off-by: Werner Koch --- dirmngr/crlfetch.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'dirmngr/crlfetch.c') diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c index 0d27aa0f1..57ac51b93 100644 --- a/dirmngr/crlfetch.c +++ b/dirmngr/crlfetch.c @@ -175,11 +175,14 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader) else { /* Note that we also allow root certificates loaded from - * "/etc/gnupg/trusted-certs/". We also do not consult - * the CRL for the TLS connection - that may lwad to a - * loop. */ - err = ks_http_fetch (ctrl, url, 0, - (HTTP_FLAG_TRUST_CFG | HTTP_FLAG_NO_CRL), + * "/etc/gnupg/trusted-certs/". We also do not consult the + * CRL for the TLS connection - that may lead to a loop. + * Due to cacert.org redirecting their https URL to http we + * also allow such a downgrade. */ + err = ks_http_fetch (ctrl, url, + (KS_HTTP_FETCH_TRUST_CFG + | KS_HTTP_FETCH_NO_CRL + | KS_HTTP_FETCH_ALLOW_DOWNGRADE ), &httpfp); } -- cgit v1.2.3