From f8f1749be9c2bd36ee6aa33171b349a82d02b0a1 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Wed, 16 Jun 2021 07:21:48 +0100 Subject: [PATCH] client: add option for allowing redirect tls downgrades --- include/libwebsockets/lws-client.h | 5 ++++- lib/roles/http/client/client-http.c | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/libwebsockets/lws-client.h b/include/libwebsockets/lws-client.h index 38de89762..fa01e2b45 100644 --- a/include/libwebsockets/lws-client.h +++ b/include/libwebsockets/lws-client.h @@ -1,7 +1,7 @@ /* * libwebsockets - small server side websockets and web server implementation * - * Copyright (C) 2010 - 2019 Andy Green + * Copyright (C) 2010 - 2021 Andy Green * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to @@ -93,6 +93,9 @@ enum lws_client_connect_ssl_connection_flags { LCCSCF_CONMON = (1 << 28), /**< If LWS_WITH_CONMON enabled for build, keeps a copy of the * getaddrinfo results so they can be queried subsequently */ + LCCSCF_ACCEPT_TLS_DOWNGRADE_REDIRECTS = (1 << 29), + /**< By default lws rejects https redirecting to http. Set this + * flag on the client connection to allow it. */ }; /** struct lws_client_connect_info - parameters to connect with when using diff --git a/lib/roles/http/client/client-http.c b/lib/roles/http/client/client-http.c index e09b6f01c..3cca39540 100644 --- a/lib/roles/http/client/client-http.c +++ b/lib/roles/http/client/client-http.c @@ -771,7 +771,8 @@ lws_client_interpret_server_handshake(struct lws *wsi) } #if defined(LWS_WITH_TLS) - if ((wsi->tls.use_ssl & LCCSCF_USE_SSL) && !ssl) { + if ((wsi->tls.use_ssl & LCCSCF_USE_SSL) && !ssl && + !(wsi->flags & LCCSCF_ACCEPT_TLS_DOWNGRADE_REDIRECTS)) { cce = "HS: Redirect attempted SSL downgrade"; goto bail3; }