From 897d8e662cc34058e3b0089b69e5f44a2d6b3a6e Mon Sep 17 00:00:00 2001 From: Sam Lucidi Date: Thu, 12 Dec 2019 17:10:23 -0500 Subject: [PATCH] Add --insecure-tls flag to disable SSL cert verification Signed-off-by: Sam Lucidi --- changelog/unreleased/issue-2656 | 8 ++++++++ cmd/restic/global.go | 4 ++++ doc/manual_rest.rst | 2 ++ internal/backend/http_transport.go | 7 +++++++ 4 files changed, 21 insertions(+) create mode 100644 changelog/unreleased/issue-2656 diff --git a/changelog/unreleased/issue-2656 b/changelog/unreleased/issue-2656 new file mode 100644 index 000000000..6ec71677f --- /dev/null +++ b/changelog/unreleased/issue-2656 @@ -0,0 +1,8 @@ +Enhancement: Add flag to disable TLS verification for self-signed certificates + +We've added a flag, `--insecure-tls`, to allow disabling +TLS verification for self-signed certificates in order to support +some development workflows. + +https://github.com/restic/restic/issues/2656 +https://github.com/restic/restic/pull/2657 diff --git a/cmd/restic/global.go b/cmd/restic/global.go index 70ec84058..127e40573 100644 --- a/cmd/restic/global.go +++ b/cmd/restic/global.go @@ -61,6 +61,7 @@ type GlobalOptions struct { CacheDir string NoCache bool CACerts []string + InsecureTLS bool TLSClientCert string CleanupCache bool @@ -115,6 +116,7 @@ func init() { f.BoolVar(&globalOptions.NoCache, "no-cache", false, "do not use a local cache") f.StringSliceVar(&globalOptions.CACerts, "cacert", nil, "`file` to load root certificates from (default: use system certificates)") f.StringVar(&globalOptions.TLSClientCert, "tls-client-cert", "", "path to a `file` containing PEM encoded TLS client certificate and private key") + f.BoolVar(&globalOptions.InsecureTLS, "insecure-tls", false, "skip TLS certificate verification when connecting to the repo (insecure)") f.BoolVar(&globalOptions.CleanupCache, "cleanup-cache", false, "auto remove old cache directories") f.IntVar(&globalOptions.LimitUploadKb, "limit-upload", 0, "limits uploads to a maximum rate in KiB/s. (default: unlimited)") f.IntVar(&globalOptions.LimitDownloadKb, "limit-download", 0, "limits downloads to a maximum rate in KiB/s. (default: unlimited)") @@ -671,6 +673,7 @@ func open(s string, gopts GlobalOptions, opts options.Options) (restic.Backend, tropts := backend.TransportOptions{ RootCertFilenames: globalOptions.CACerts, TLSClientCertKeyFilename: globalOptions.TLSClientCert, + InsecureTLS: globalOptions.InsecureTLS, } rt, err := backend.Transport(tropts) if err != nil { @@ -751,6 +754,7 @@ func create(s string, opts options.Options) (restic.Backend, error) { tropts := backend.TransportOptions{ RootCertFilenames: globalOptions.CACerts, TLSClientCertKeyFilename: globalOptions.TLSClientCert, + InsecureTLS: globalOptions.InsecureTLS, } rt, err := backend.Transport(tropts) if err != nil { diff --git a/doc/manual_rest.rst b/doc/manual_rest.rst index 0c03d07e6..87f3104a1 100644 --- a/doc/manual_rest.rst +++ b/doc/manual_rest.rst @@ -50,6 +50,7 @@ Usage help is available: --cache-dir directory set the cache directory. (default: use system default cache directory) --cleanup-cache auto remove old cache directories -h, --help help for restic + --insecure-tls skip TLS certificate verification when connecting to the repo (insecure) --json set output mode to JSON for commands that support it --key-hint key key ID of key to try decrypting first (default: $RESTIC_KEY_HINT) --limit-download int limits downloads to a maximum rate in KiB/s. (default: unlimited) @@ -118,6 +119,7 @@ command: --cacert file file to load root certificates from (default: use system certificates) --cache-dir directory set the cache directory. (default: use system default cache directory) --cleanup-cache auto remove old cache directories + --insecure-tls skip TLS certificate verification when connecting to the repo (insecure) --json set output mode to JSON for commands that support it --key-hint key key ID of key to try decrypting first (default: $RESTIC_KEY_HINT) --limit-download int limits downloads to a maximum rate in KiB/s. (default: unlimited) diff --git a/internal/backend/http_transport.go b/internal/backend/http_transport.go index 1d6ee17c6..2ff56c887 100644 --- a/internal/backend/http_transport.go +++ b/internal/backend/http_transport.go @@ -22,6 +22,9 @@ type TransportOptions struct { // contains the name of a file containing the TLS client certificate and private key in PEM format TLSClientCertKeyFilename string + + // Skip TLS certificate verification + InsecureTLS bool } // readPEMCertKey reads a file and returns the PEM encoded certificate and key @@ -79,6 +82,10 @@ func Transport(opts TransportOptions) (http.RoundTripper, error) { TLSClientConfig: &tls.Config{}, } + if opts.InsecureTLS { + tr.TLSClientConfig.InsecureSkipVerify = true + } + if opts.TLSClientCertKeyFilename != "" { certs, key, err := readPEMCertKey(opts.TLSClientCertKeyFilename) if err != nil {