forked from TrueCloudLab/restic
Add --insecure-tls flag to disable SSL cert verification
Signed-off-by: Sam Lucidi <slucidi@redhat.com>
This commit is contained in:
parent
1827b16ade
commit
897d8e662c
4 changed files with 21 additions and 0 deletions
8
changelog/unreleased/issue-2656
Normal file
8
changelog/unreleased/issue-2656
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
Enhancement: Add flag to disable TLS verification for self-signed certificates
|
||||||
|
|
||||||
|
We've added a flag, `--insecure-tls`, to allow disabling
|
||||||
|
TLS verification for self-signed certificates in order to support
|
||||||
|
some development workflows.
|
||||||
|
|
||||||
|
https://github.com/restic/restic/issues/2656
|
||||||
|
https://github.com/restic/restic/pull/2657
|
|
@ -61,6 +61,7 @@ type GlobalOptions struct {
|
||||||
CacheDir string
|
CacheDir string
|
||||||
NoCache bool
|
NoCache bool
|
||||||
CACerts []string
|
CACerts []string
|
||||||
|
InsecureTLS bool
|
||||||
TLSClientCert string
|
TLSClientCert string
|
||||||
CleanupCache bool
|
CleanupCache bool
|
||||||
|
|
||||||
|
@ -115,6 +116,7 @@ func init() {
|
||||||
f.BoolVar(&globalOptions.NoCache, "no-cache", false, "do not use a local cache")
|
f.BoolVar(&globalOptions.NoCache, "no-cache", false, "do not use a local cache")
|
||||||
f.StringSliceVar(&globalOptions.CACerts, "cacert", nil, "`file` to load root certificates from (default: use system certificates)")
|
f.StringSliceVar(&globalOptions.CACerts, "cacert", nil, "`file` to load root certificates from (default: use system certificates)")
|
||||||
f.StringVar(&globalOptions.TLSClientCert, "tls-client-cert", "", "path to a `file` containing PEM encoded TLS client certificate and private key")
|
f.StringVar(&globalOptions.TLSClientCert, "tls-client-cert", "", "path to a `file` containing PEM encoded TLS client certificate and private key")
|
||||||
|
f.BoolVar(&globalOptions.InsecureTLS, "insecure-tls", false, "skip TLS certificate verification when connecting to the repo (insecure)")
|
||||||
f.BoolVar(&globalOptions.CleanupCache, "cleanup-cache", false, "auto remove old cache directories")
|
f.BoolVar(&globalOptions.CleanupCache, "cleanup-cache", false, "auto remove old cache directories")
|
||||||
f.IntVar(&globalOptions.LimitUploadKb, "limit-upload", 0, "limits uploads to a maximum rate in KiB/s. (default: unlimited)")
|
f.IntVar(&globalOptions.LimitUploadKb, "limit-upload", 0, "limits uploads to a maximum rate in KiB/s. (default: unlimited)")
|
||||||
f.IntVar(&globalOptions.LimitDownloadKb, "limit-download", 0, "limits downloads to a maximum rate in KiB/s. (default: unlimited)")
|
f.IntVar(&globalOptions.LimitDownloadKb, "limit-download", 0, "limits downloads to a maximum rate in KiB/s. (default: unlimited)")
|
||||||
|
@ -671,6 +673,7 @@ func open(s string, gopts GlobalOptions, opts options.Options) (restic.Backend,
|
||||||
tropts := backend.TransportOptions{
|
tropts := backend.TransportOptions{
|
||||||
RootCertFilenames: globalOptions.CACerts,
|
RootCertFilenames: globalOptions.CACerts,
|
||||||
TLSClientCertKeyFilename: globalOptions.TLSClientCert,
|
TLSClientCertKeyFilename: globalOptions.TLSClientCert,
|
||||||
|
InsecureTLS: globalOptions.InsecureTLS,
|
||||||
}
|
}
|
||||||
rt, err := backend.Transport(tropts)
|
rt, err := backend.Transport(tropts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -751,6 +754,7 @@ func create(s string, opts options.Options) (restic.Backend, error) {
|
||||||
tropts := backend.TransportOptions{
|
tropts := backend.TransportOptions{
|
||||||
RootCertFilenames: globalOptions.CACerts,
|
RootCertFilenames: globalOptions.CACerts,
|
||||||
TLSClientCertKeyFilename: globalOptions.TLSClientCert,
|
TLSClientCertKeyFilename: globalOptions.TLSClientCert,
|
||||||
|
InsecureTLS: globalOptions.InsecureTLS,
|
||||||
}
|
}
|
||||||
rt, err := backend.Transport(tropts)
|
rt, err := backend.Transport(tropts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -50,6 +50,7 @@ Usage help is available:
|
||||||
--cache-dir directory set the cache directory. (default: use system default cache directory)
|
--cache-dir directory set the cache directory. (default: use system default cache directory)
|
||||||
--cleanup-cache auto remove old cache directories
|
--cleanup-cache auto remove old cache directories
|
||||||
-h, --help help for restic
|
-h, --help help for restic
|
||||||
|
--insecure-tls skip TLS certificate verification when connecting to the repo (insecure)
|
||||||
--json set output mode to JSON for commands that support it
|
--json set output mode to JSON for commands that support it
|
||||||
--key-hint key key ID of key to try decrypting first (default: $RESTIC_KEY_HINT)
|
--key-hint key key ID of key to try decrypting first (default: $RESTIC_KEY_HINT)
|
||||||
--limit-download int limits downloads to a maximum rate in KiB/s. (default: unlimited)
|
--limit-download int limits downloads to a maximum rate in KiB/s. (default: unlimited)
|
||||||
|
@ -118,6 +119,7 @@ command:
|
||||||
--cacert file file to load root certificates from (default: use system certificates)
|
--cacert file file to load root certificates from (default: use system certificates)
|
||||||
--cache-dir directory set the cache directory. (default: use system default cache directory)
|
--cache-dir directory set the cache directory. (default: use system default cache directory)
|
||||||
--cleanup-cache auto remove old cache directories
|
--cleanup-cache auto remove old cache directories
|
||||||
|
--insecure-tls skip TLS certificate verification when connecting to the repo (insecure)
|
||||||
--json set output mode to JSON for commands that support it
|
--json set output mode to JSON for commands that support it
|
||||||
--key-hint key key ID of key to try decrypting first (default: $RESTIC_KEY_HINT)
|
--key-hint key key ID of key to try decrypting first (default: $RESTIC_KEY_HINT)
|
||||||
--limit-download int limits downloads to a maximum rate in KiB/s. (default: unlimited)
|
--limit-download int limits downloads to a maximum rate in KiB/s. (default: unlimited)
|
||||||
|
|
|
@ -22,6 +22,9 @@ type TransportOptions struct {
|
||||||
|
|
||||||
// contains the name of a file containing the TLS client certificate and private key in PEM format
|
// contains the name of a file containing the TLS client certificate and private key in PEM format
|
||||||
TLSClientCertKeyFilename string
|
TLSClientCertKeyFilename string
|
||||||
|
|
||||||
|
// Skip TLS certificate verification
|
||||||
|
InsecureTLS bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// readPEMCertKey reads a file and returns the PEM encoded certificate and key
|
// readPEMCertKey reads a file and returns the PEM encoded certificate and key
|
||||||
|
@ -79,6 +82,10 @@ func Transport(opts TransportOptions) (http.RoundTripper, error) {
|
||||||
TLSClientConfig: &tls.Config{},
|
TLSClientConfig: &tls.Config{},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if opts.InsecureTLS {
|
||||||
|
tr.TLSClientConfig.InsecureSkipVerify = true
|
||||||
|
}
|
||||||
|
|
||||||
if opts.TLSClientCertKeyFilename != "" {
|
if opts.TLSClientCertKeyFilename != "" {
|
||||||
certs, key, err := readPEMCertKey(opts.TLSClientCertKeyFilename)
|
certs, key, err := readPEMCertKey(opts.TLSClientCertKeyFilename)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Reference in a new issue