From: lu.shasha <lu.shasha@eisoo.com>
Date: Fri, 26 May 2017 09:01:49 +0000 (+0800)
Subject: rgw: add "rgw_verify_ssl" config
X-Git-Tag: v12.1.0~215^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=8b83b83d1a405855132b49cfe1f2cc1fe2a4b23d;p=ceph.git

rgw: add "rgw_verify_ssl" config

http_client whether try to verify ssl when sent https request

Signed-off-by: Shasha Lu <lu.shasha@eisoo.com>
---

diff --git a/doc/radosgw/config-ref.rst b/doc/radosgw/config-ref.rst
index 8a9c39e8588..0109fc0c24b 100644
--- a/doc/radosgw/config-ref.rst
+++ b/doc/radosgw/config-ref.rst
@@ -385,6 +385,13 @@ Ceph configuration file, the default value will be set automatically.
 :Default: ``-1``
 
 
+``rgw verify ssl``
+
+:Description: Verify SSL certificates while making requests.
+:Type: Boolean
+:Default: ``true``
+
+
 Regions
 =======
 
diff --git a/src/common/config_opts.h b/src/common/config_opts.h
index 122e84401fe..517e48766c1 100644
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -1545,6 +1545,7 @@ OPTION(rgw_op_thread_suicide_timeout, OPT_INT, 0)
 OPTION(rgw_thread_pool_size, OPT_INT, 100)
 OPTION(rgw_num_control_oids, OPT_INT, 8)
 OPTION(rgw_num_rados_handles, OPT_U32, 1)
+OPTION(rgw_verify_ssl, OPT_BOOL, true) // should http_client try to verify ssl when sent https request
 
 /* The following are tunables for caches of RGW NFS (and other file
  * client) objects.
diff --git a/src/rgw/rgw_http_client.cc b/src/rgw/rgw_http_client.cc
index 81c4c6ef6bc..3b5e22fdc00 100644
--- a/src/rgw/rgw_http_client.cc
+++ b/src/rgw/rgw_http_client.cc
@@ -355,6 +355,11 @@ int RGWHTTPClient::init_request(const char *method, const char *url, rgw_http_re
   if (has_send_len) {
     curl_easy_setopt(easy_handle, CURLOPT_INFILESIZE, (void *)send_len); 
   }
+  if (!verify_ssl) {
+    curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYPEER, 0L);
+    curl_easy_setopt(easy_handle, CURLOPT_SSL_VERIFYHOST, 0L);
+    dout(20) << "ssl verification is set to off" << dendl;
+  }
   curl_easy_setopt(easy_handle, CURLOPT_PRIVATE, (void *)req_data);
 
   return 0;
diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h
index cbe4f3d0312..6d74242502d 100644
--- a/src/rgw/rgw_http_client.h
+++ b/src/rgw/rgw_http_client.h
@@ -93,7 +93,7 @@ public:
       http_status(HTTP_STATUS_NOSTATUS),
       req_data(nullptr),
       user_info(nullptr),
-      verify_ssl(true),
+      verify_ssl(cct->_conf->rgw_verify_ssl),
       cct(cct) {
   }