From 4346c2fdd307b6d38c6c2b533a4358c9024d7466 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
Date: Tue, 28 May 2024 12:12:45 +0100
Subject: [PATCH] hook default verification level from debug/experimental
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: I138aeca51247cb173b1639cc4f5033ad9ce3265b
---
 config.h.in     |  3 +++
 configure.ac    | 10 +++++++++-
 coolwsd.xml.in  |  4 +++-
 net/Ssl.cpp     |  3 ++-
 wsd/COOLWSD.cpp |  1 +
 wsd/Storage.cpp | 11 ++++++++---
 6 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/config.h.in b/config.h.in
index 9d790f536..0601dd502 100644
--- a/config.h.in
+++ b/config.h.in
@@ -40,6 +40,9 @@
 /* Whether to enable SSL */
 #undef ENABLE_SSL
 
+/* Whether to default to using SSL_VERIFY_PEER */
+#undef SSL_VERIFY
+
 /* Whether to enable support key */
 #undef ENABLE_SUPPORT_KEY
 
diff --git a/configure.ac b/configure.ac
index d9ff3111b..950a6374d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -426,6 +426,7 @@ experimental_msg="disabled by default"
 bundle_msg="using uglified bundled JS and CSS"
 LOK_LOG_ASSERTIONS=0
 log_asserts_msg="disabled"
+SSL_VERIFY="true"
 
 # a reasonable default
 NUM_PRESPAWN_CHILDREN=4
@@ -443,6 +444,7 @@ if test "$enable_debug" = "yes"; then
    COOLWSD_ANONYMIZE_USER_DATA=false
    BROWSER_LOGGING="true"
    debug_msg="low security debugging mode"
+   SSL_VERIFY="false"
 
    # helps attaching to the right process
    NUM_PRESPAWN_CHILDREN=1
@@ -520,9 +522,15 @@ fi
 if test "$enable_experimental" = "yes" ; then
   ENABLE_EXPERIMENTAL=true
   experimental_msg="enabled by default"
+  SSL_VERIFY="false"
 fi
 AC_SUBST(ENABLE_EXPERIMENTAL)
 
+AC_MSG_CHECKING([if ssl verification is enabled by default])
+AC_MSG_RESULT([$SSL_VERIFY])
+AC_DEFINE_UNQUOTED([SSL_VERIFY],["$SSL_VERIFY"],[Default SSL Verification mode])
+AC_SUBST(SSL_VERIFY)
+
 dnl check for a file at a path with an env-var with a given suffix
 AC_DEFUN([CHK_FILE_VAR], dnl env-var, suffix, file-to-match, msg
 [
@@ -1301,7 +1309,7 @@ AC_SUBST(LIBPFM_LIBS)
 
 ENABLE_SSL=true
 if test "$enable_ssl" != "no" -a "$mobile_app" != "true"; then
-   ssl_msg="ssl enabled"
+   ssl_msg="ssl enabled. cert verification: $SSL_VERIFY"
    ENABLE_SSL=true
    AC_DEFINE([ENABLE_SSL],1,[Whether to enable SSL])
 else
diff --git a/coolwsd.xml.in b/coolwsd.xml.in
index 19a2e70a0..8144634ae 100644
--- a/coolwsd.xml.in
+++ b/coolwsd.xml.in
@@ -197,6 +197,7 @@
         <cert_file_path desc="Path to the cert file" relative="false">/etc/coolwsd/cert.pem</cert_file_path>
         <key_file_path desc="Path to the key file" relative="false">/etc/coolwsd/key.pem</key_file_path>
         <ca_file_path desc="Path to the ca file" relative="false">/etc/coolwsd/ca-chain.cert.pem</ca_file_path>
+        <ssl_verification desc="Enable or disable SSL verification. You may have to disable it in test environments with self-signed certificates." type="string" default="@SSL_VERIFY@">@SSL_VERIFY@</ssl_verification>
         <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
         <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
             <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
@@ -265,7 +266,8 @@
             <enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and coolwsd. When empty this defaults to following the ssl.enable setting"></enable>
             <cert_file_path desc="Path to the cert file. When empty this defaults to following the ssl.cert_file_path setting" relative="false"></cert_file_path>
             <key_file_path desc="Path to the key file. When empty this defaults to following the ssl.key_file_path settinge" relative="false"></key_file_path>
-            <ca_file_path desc="Path to the ca file. When empty this defaults to following the ssl.ca_file_path setting. If either are not empty, then SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified." relative="false"></ca_file_path>
+            <ca_file_path desc="Path to the ca file. When empty this defaults to following the ssl.ca_file_path setting" relative="false"></ca_file_path>
+            <ssl_verification desc="Enable or disable SSL verification for storage. If true SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified. For backwards compatibility if this is empty then the default is false if both storage.ssl.ca_file_path and ssl.ca_file_path are empty, otherwise this defaults to following the ssl.ssl_verification setting"></ssl_verification>
             <cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overridden only if absolutely needed."></cipher_list>
         </ssl>
     </storage>
diff --git a/net/Ssl.cpp b/net/Ssl.cpp
index 2c23421fc..8f88aa7ae 100644
--- a/net/Ssl.cpp
+++ b/net/Ssl.cpp
@@ -189,7 +189,8 @@ SslContext::SslContext(const std::string& certFilePath, const std::string& keyFi
             }
         }
 
-        SSL_CTX_set_verify(_ctx, SSL_VERIFY_PEER, nullptr /*&verifyServerCallback*/);
+        const int sslVerifyMode = _verification == ssl::CertificateVerification::Disabled ? SSL_VERIFY_NONE : SSL_VERIFY_PEER;
+        SSL_CTX_set_verify(_ctx, sslVerifyMode, nullptr /*&verifyServerCallback*/);
 
         SSL_CTX_set_cipher_list(_ctx, cipherList.c_str());
         SSL_CTX_set_verify_depth(_ctx, 9);
diff --git a/wsd/COOLWSD.cpp b/wsd/COOLWSD.cpp
index bb143a4f9..89d3d34ce 100644
--- a/wsd/COOLWSD.cpp
+++ b/wsd/COOLWSD.cpp
@@ -2049,6 +2049,7 @@ void COOLWSD::innerInitialize(Application& self)
         { "ssl.sts.max_age", "31536000" },
         { "ssl.key_file_path", COOLWSD_CONFIGDIR "/key.pem" },
         { "ssl.termination", "true" },
+        { "ssl.ssl_verification", SSL_VERIFY },
         { "stop_on_config_change", "false" },
         { "storage.filesystem[@allow]", "false" },
         // "storage.ssl.enable" - deliberately not set; for back-compat
diff --git a/wsd/Storage.cpp b/wsd/Storage.cpp
index 69fd68e3b..2aeef9dc6 100644
--- a/wsd/Storage.cpp
+++ b/wsd/Storage.cpp
@@ -141,7 +141,11 @@ void StorageBase::initialize()
         sslClientParams.caLocation = COOLWSD::getPathFromConfigWithFallback("storage.ssl.ca_file_path", "ssl.ca_file_path");
         sslClientParams.cipherList = COOLWSD::getPathFromConfigWithFallback("storage.ssl.cipher_list", "ssl.cipher_list");
 
-        sslClientParams.verificationMode = (sslClientParams.caLocation.empty() ? Poco::Net::Context::VERIFY_NONE : Poco::Net::Context::VERIFY_STRICT);
+        const bool caLocationEmpty = sslClientParams.caLocation.empty();
+        // Fallback to false if caLocation is empty for back compatibility, otherwise inherit from ssl.ssl_verification
+        const bool sslVerification = caLocationEmpty ? false : COOLWSD::getConfigValue<bool>("ssl.ssl_verification", true);
+
+        sslClientParams.verificationMode = !sslVerification ? Poco::Net::Context::VERIFY_NONE : Poco::Net::Context::VERIFY_STRICT;
         sslClientParams.loadDefaultCAs = true;
     }
     else
@@ -162,8 +166,9 @@ void StorageBase::initialize()
     ssl::Manager::initializeClientContext(
         sslClientParams.certificateFile, sslClientParams.privateKeyFile, sslClientParams.caLocation,
         sslClientParams.cipherList,
-        sslClientParams.caLocation.empty() ? ssl::CertificateVerification::Disabled
-                                           : ssl::CertificateVerification::Required);
+        sslClientParams.verificationMode == Poco::Net::Context::VERIFY_NONE
+            ? ssl::CertificateVerification::Disabled
+            : ssl::CertificateVerification::Required);
     if (!ssl::Manager::isClientContextInitialized())
         LOG_ERR("Failed to initialize Client SSL.");
     else