client: add option for allowing redirect tls downgrades

2025-03-30 00:00:16 +01:00 · 2021-06-16 07:21:48 +01:00 · 2021-06-16 07:21:48 +01:00 · f8f1749be9
commit f8f1749be9
parent 983edafdb4
2 changed files with 6 additions and 2 deletions
--- a/include/libwebsockets/lws-client.h
+++ b/include/libwebsockets/lws-client.h
@ -1,7 +1,7 @@
 /*
 * libwebsockets - small server side websockets and web server implementation
 *
- * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
+ * Copyright (C) 2010 - 2021 Andy Green <andy@warmcat.com>
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to
@ -93,6 +93,9 @@ enum lws_client_connect_ssl_connection_flags {
 	LCCSCF_CONMON				= (1 << 28),
 	/**< If LWS_WITH_CONMON enabled for build, keeps a copy of the
 	 * getaddrinfo results so they can be queried subsequently */
+	LCCSCF_ACCEPT_TLS_DOWNGRADE_REDIRECTS	= (1 << 29),
+	/**< By default lws rejects https redirecting to http.  Set this
+	 * flag on the client connection to allow it. */
 };

 /** struct lws_client_connect_info - parameters to connect with when using
--- a/lib/roles/http/client/client-http.c
+++ b/lib/roles/http/client/client-http.c
@ -771,7 +771,8 @@ lws_client_interpret_server_handshake(struct lws *wsi)
 		}

 #if defined(LWS_WITH_TLS)
-		if ((wsi->tls.use_ssl & LCCSCF_USE_SSL) && !ssl) {
+		if ((wsi->tls.use_ssl & LCCSCF_USE_SSL) && !ssl &&
+		     !(wsi->flags & LCCSCF_ACCEPT_TLS_DOWNGRADE_REDIRECTS)) {
 			cce = "HS: Redirect attempted SSL downgrade";
 			goto bail3;
 		}