From 897d8e662cc34058e3b0089b69e5f44a2d6b3a6e Mon Sep 17 00:00:00 2001
From: Sam Lucidi <slucidi@redhat.com>
Date: Thu, 12 Dec 2019 17:10:23 -0500
Subject: [PATCH] Add --insecure-tls flag to disable SSL cert verification

Signed-off-by: Sam Lucidi <slucidi@redhat.com>
---
 changelog/unreleased/issue-2656    | 8 ++++++++
 cmd/restic/global.go               | 4 ++++
 doc/manual_rest.rst                | 2 ++
 internal/backend/http_transport.go | 7 +++++++
 4 files changed, 21 insertions(+)
 create mode 100644 changelog/unreleased/issue-2656

diff --git a/changelog/unreleased/issue-2656 b/changelog/unreleased/issue-2656
new file mode 100644
index 000000000..6ec71677f
--- /dev/null
+++ b/changelog/unreleased/issue-2656
@@ -0,0 +1,8 @@
+Enhancement: Add flag to disable TLS verification for self-signed certificates
+
+We've added a flag, `--insecure-tls`, to allow disabling
+TLS verification for self-signed certificates in order to support
+some development workflows.
+
+https://github.com/restic/restic/issues/2656
+https://github.com/restic/restic/pull/2657
diff --git a/cmd/restic/global.go b/cmd/restic/global.go
index 70ec84058..127e40573 100644
--- a/cmd/restic/global.go
+++ b/cmd/restic/global.go
@@ -61,6 +61,7 @@ type GlobalOptions struct {
 	CacheDir        string
 	NoCache         bool
 	CACerts         []string
+	InsecureTLS     bool
 	TLSClientCert   string
 	CleanupCache    bool
 
@@ -115,6 +116,7 @@ func init() {
 	f.BoolVar(&globalOptions.NoCache, "no-cache", false, "do not use a local cache")
 	f.StringSliceVar(&globalOptions.CACerts, "cacert", nil, "`file` to load root certificates from (default: use system certificates)")
 	f.StringVar(&globalOptions.TLSClientCert, "tls-client-cert", "", "path to a `file` containing PEM encoded TLS client certificate and private key")
+	f.BoolVar(&globalOptions.InsecureTLS, "insecure-tls", false, "skip TLS certificate verification when connecting to the repo (insecure)")
 	f.BoolVar(&globalOptions.CleanupCache, "cleanup-cache", false, "auto remove old cache directories")
 	f.IntVar(&globalOptions.LimitUploadKb, "limit-upload", 0, "limits uploads to a maximum rate in KiB/s. (default: unlimited)")
 	f.IntVar(&globalOptions.LimitDownloadKb, "limit-download", 0, "limits downloads to a maximum rate in KiB/s. (default: unlimited)")
@@ -671,6 +673,7 @@ func open(s string, gopts GlobalOptions, opts options.Options) (restic.Backend,
 	tropts := backend.TransportOptions{
 		RootCertFilenames:        globalOptions.CACerts,
 		TLSClientCertKeyFilename: globalOptions.TLSClientCert,
+		InsecureTLS:              globalOptions.InsecureTLS,
 	}
 	rt, err := backend.Transport(tropts)
 	if err != nil {
@@ -751,6 +754,7 @@ func create(s string, opts options.Options) (restic.Backend, error) {
 	tropts := backend.TransportOptions{
 		RootCertFilenames:        globalOptions.CACerts,
 		TLSClientCertKeyFilename: globalOptions.TLSClientCert,
+		InsecureTLS:              globalOptions.InsecureTLS,
 	}
 	rt, err := backend.Transport(tropts)
 	if err != nil {
diff --git a/doc/manual_rest.rst b/doc/manual_rest.rst
index 0c03d07e6..87f3104a1 100644
--- a/doc/manual_rest.rst
+++ b/doc/manual_rest.rst
@@ -50,6 +50,7 @@ Usage help is available:
           --cache-dir directory        set the cache directory. (default: use system default cache directory)
           --cleanup-cache              auto remove old cache directories
       -h, --help                       help for restic
+          --insecure-tls               skip TLS certificate verification when connecting to the repo (insecure)
           --json                       set output mode to JSON for commands that support it
           --key-hint key               key ID of key to try decrypting first (default: $RESTIC_KEY_HINT)
           --limit-download int         limits downloads to a maximum rate in KiB/s. (default: unlimited)
@@ -118,6 +119,7 @@ command:
           --cacert file                file to load root certificates from (default: use system certificates)
           --cache-dir directory        set the cache directory. (default: use system default cache directory)
           --cleanup-cache              auto remove old cache directories
+          --insecure-tls               skip TLS certificate verification when connecting to the repo (insecure)
           --json                       set output mode to JSON for commands that support it
           --key-hint key               key ID of key to try decrypting first (default: $RESTIC_KEY_HINT)
           --limit-download int         limits downloads to a maximum rate in KiB/s. (default: unlimited)
diff --git a/internal/backend/http_transport.go b/internal/backend/http_transport.go
index 1d6ee17c6..2ff56c887 100644
--- a/internal/backend/http_transport.go
+++ b/internal/backend/http_transport.go
@@ -22,6 +22,9 @@ type TransportOptions struct {
 
 	// contains the name of a file containing the TLS client certificate and private key in PEM format
 	TLSClientCertKeyFilename string
+
+	// Skip TLS certificate verification
+	InsecureTLS bool
 }
 
 // readPEMCertKey reads a file and returns the PEM encoded certificate and key
@@ -79,6 +82,10 @@ func Transport(opts TransportOptions) (http.RoundTripper, error) {
 		TLSClientConfig:       &tls.Config{},
 	}
 
+	if opts.InsecureTLS {
+		tr.TLSClientConfig.InsecureSkipVerify = true
+	}
+
 	if opts.TLSClientCertKeyFilename != "" {
 		certs, key, err := readPEMCertKey(opts.TLSClientCertKeyFilename)
 		if err != nil {