Add automatic SSL reverification, closes #123

2023-01-03 12:10:24 +01:00 · 2023-01-03 12:10:24 +01:00 · 4bcc4f7703
parent 2ce7fcaed7
commit 4bcc4f7703
1 changed files with 40 additions and 0 deletions
--- a/xslt/feedgen.xsl
+++ b/xslt/feedgen.xsl
@ -50,6 +50,12 @@
    </xsl:if>
  </xsl:template>

+  <xsl:key
+    name="ssl-hosts"
+    match="//itsb:link[@verify-ssl = 'false' or @verify-ssl = '0'] | //itsb:url[@verify-ssl = 'false' or @verify-ssl = '0']"
+    use="substring-before(substring-after(text(), 'https://'), '/')"
+  />
+
  <xsl:template match="/">
    <xsl:text><![CDATA[#!/bin/bash
 set -o pipefail
@ -81,6 +87,16 @@ if ! command -v json2xml >/dev/null 2>&1; then
 fi

 ]]></xsl:text>
+    <xsl:apply-templates
+      select="//itsb:link[@verify-ssl = 'false' or @verify-ssl = '0'][generate-id() = generate-id(key('ssl-hosts', substring-before(substring-after(text(), 'https://'), '/'))[1])]"
+      mode="check"
+    />
+    <xsl:apply-templates
+      select="//itsb:url[@verify-ssl = 'false' or @verify-ssl = '0'][generate-id() = generate-id(key('ssl-hosts', substring-before(substring-after(text(), 'https://'), '/'))[1])]"
+      mode="check"
+    />
+    <xsl:text>
+</xsl:text>
    <xsl:apply-templates select="//itsb:feed[not(itsb:link)]" />
  </xsl:template>

@ -255,6 +271,30 @@ fi
 </xsl:text>
  </xsl:template>

+  <xsl:template match="itsb:link[@verify-ssl = 'false' or @verify-ssl = '0'] | itsb:url[@verify-ssl = 'false' or @verify-ssl = '0']" mode="check">
+    <xsl:variable name="url_host" select="substring-before(substring-after(text(), 'https://'), '/')" />
+    <xsl:variable name="connect">
+      <xsl:text>'</xsl:text>
+      <xsl:call-template name="escape">
+        <xsl:with-param name="text" select="$url_host" />
+      </xsl:call-template>
+      <xsl:if test="not(contains($url_host, ':'))">
+        <xsl:text>:443</xsl:text>
+      </xsl:if>
+      <xsl:text>'</xsl:text>
+    </xsl:variable>
+
+    <xsl:text>log Checking SSL certificate for </xsl:text>
+    <xsl:value-of select="$connect" />
+    <xsl:text>
+openssl s_client -quiet -no_ign_eof -verify_return_error -connect </xsl:text>
+    <xsl:value-of select="$connect" />
+    <xsl:text><![CDATA[ </dev/null >/dev/null 2>/dev/null && echo SSL verification is disabled for ]]></xsl:text>
+    <xsl:value-of select="$connect" />
+    <xsl:text>, but it was successful. Consider re-enabling it.
+</xsl:text>
+  </xsl:template>
+
  <xsl:template match="*">
    <xsl:message terminate="yes">
      <xsl:text>Unmatched element</xsl:text>