Allowing insecure ssl enables insecure ssl for all subsequent requests
lread opened this issue · 0 comments
lread commented
Repro
Start a fresh REPL.
Verify that hitting a site with bad SSL throws:
(require '[clj-http.lite.client :as client])
;; as expected we throw on a bad SSL cert the first time
(client/get "https://expired.badssl.com")
;; => CertificateExpiredException NotAfter: Sun Apr 12 19:59:59 EDT 2015 sun.security.x509.CertificateValidity.valid (CertificateValidity.java:277)
;; and subsequent times
(client/get "https://expired.badssl.com")
;; => CertificateExpiredException NotAfter: Sun Apr 12 19:59:59 EDT 2015 sun.security.x509.CertificateValidity.valid (CertificateValidity.java:277)Let's allow for bad SSL certs on a single request, as expected we do not throw:
(client/get "https://expired.badssl.com" {:insecure? true})
;; => {:headers
;; {"server" "nginx/1.10.3 (Ubuntu)",
;; "date" "Wed, 17 Aug 2022 21:50:26 GMT",
;; "content-type" "text/html",
;; "last-modified" "Fri, 12 Aug 2022 15:59:21 GMT",
;; "transfer-encoding" "chunked",
;; "connection" "keep-alive",
;; "etag" "W/\"62f678d9-1ee\"",
;; "cache-control" "no-store",
;; "content-encoding" "gzip"},
;; :status 200,
;; :body
;; "<!DOCTYPE html>\n<html>\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <link rel=\"shortcut icon\" href=\"/icons/favicon-red.ico\"/>\n <link rel=\"apple-touch-icon\" href=\"/icons/icon-red.png\"/>\n <title>expired.badssl.com</title>\n <link rel=\"stylesheet\" href=\"/style.css\">\n <style>body { background: red; }</style>\n</head>\n<body>\n<div id=\"content\">\n <h1 style=\"font-size: 12vw;\">\n expired.<br>badssl.com\n </h1>\n</div>\n\n</body>\n</html>\n"}Now let's retry that site with a bad cert without :insecure?
(client/get "https://expired.badssl.com")
Expected Behaviour
The request should throw.
Actual Behaviour
It allowed the bad cert:
;; => {:headers
;; {"server" "nginx/1.10.3 (Ubuntu)",
;; "date" "Wed, 17 Aug 2022 21:50:45 GMT",
;; "content-type" "text/html",
;; "last-modified" "Fri, 12 Aug 2022 15:59:21 GMT",
;; "transfer-encoding" "chunked",
;; "connection" "keep-alive",
;; "etag" "W/\"62f678d9-1ee\"",
;; "cache-control" "no-store",
;; "content-encoding" "gzip"},
;; :status 200,
;; :body
;; "<!DOCTYPE html>\n<html>\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <link rel=\"shortcut icon\" href=\"/icons/favicon-red.ico\"/>\n <link rel=\"apple-touch-icon\" href=\"/icons/icon-red.png\"/>\n <title>expired.badssl.com</title>\n <link rel=\"stylesheet\" href=\"/style.css\">\n <style>body { background: red; }</style>\n</head>\n<body>\n<div id=\"content\">\n <h1 style=\"font-size: 12vw;\">\n expired.<br>badssl.com\n </h1>\n</div>\n\n</body>\n</html>\n"}Further Tests
Let's try a different site with a bad SSL cert, we would expect it to throw, but it does not.
(client/get "https://expired-rsa-dv.ssl.com")
;; => {:headers
;; {"accept-ranges" "bytes",
;; "content-length" "138",
;; "content-type" "text/html; charset=utf-8",
;; "etag" "\"re71tc3u\"",
;; "last-modified" "Tue, 28 Jun 2022 15:32:00 GMT",
;; "server" "Caddy",
;; "date" "Wed, 17 Aug 2022 21:51:29 GMT"},
;; :status 200,
;; :body
;; "\n<HTML>\nThis is a test site authenticated by <a href=\"https://www.ssl.com\" target=\"_blank\">SSL.com</a> using SSL/TLS Certificate!\n</HTML>\n"}If we restart our REPL, we are all good again:
(client/get "https://expired.badssl.com")
;; => CertificateExpiredException NotAfter: Sun Apr 12 19:59:59 EDT 2015 sun.security.x509.CertificateValidity.valid (CertificateValidity.java:277)
(client/get "https://expired-rsa-dv.ssl.com")
;; => CertificateExpiredException NotAfter: Tue Aug 02 16:48:30 EDT 2016 sun.security.x509.CertificateValidity.valid (CertificateValidity.java:277)Next Steps
I'll take a peek at the code and see if I can fix.