[X2Go-Commits] [buildscripts] 03/03: bin/slave-start-prepare.sh: switch from wget to cURL.

git-admin at x2go.org git-admin at x2go.org
Sat Jun 10 23:56:16 CEST 2017 

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch master
in repository buildscripts.

commit 074779564c4b95a6abd4ae96d3fc138f4e448490
Author: Mihai Moldovan <ionic at ionic.de>
Date:   Sat Jun 10 23:51:28 2017 +0200

    bin/slave-start-prepare.sh: switch from wget to cURL.
    
    It doesn't seem to be (easily) possible to disable certain certificate
    checks, but still enforce the pinned pubkey hash check with wget.
    
    This means that we either have to
      - provide the pubkey hash
      - provide the CA certificate (which is pretty darn difficult when
        using self-signed certificates)
      - make sure that the parameters match what is recorded in the
        certificate (like the hostname)
    or
      - disable all checks, including the pubkey hash check.
    
    ... or find an alternative, like cURL, which allows us to bypass these
    checks but still employs the pubkey hash check.
    
    So switch to cURL.
---
 bin/slave-start-prepare.sh | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/bin/slave-start-prepare.sh b/bin/slave-start-prepare.sh
index b9add7d..4829069 100755
--- a/bin/slave-start-prepare.sh
+++ b/bin/slave-start-prepare.sh
@@ -31,6 +31,12 @@ fi
 
 rm -f -- "slave.jar"
 
-wget -NS --pinnedpubkey="${ssl_hash}" "https://${host}/jnlpJars/slave.jar"
+# Even though we pin the certificate's public key, the --insecure option
+# is needed since our certificate (currently) is self-signed, which leads to
+# curl rejecting the certificate.
+# This is okay, since curl still checks for the pubkey hash and aborts the
+# connection if the server's pubkey hash doesn't match the pinned one, even
+# when calling it with the --insecure parameter.
+curl -R --pinnedpubkey "${ssl_hash}" --insecure "https://${host}/jnlpJars/slave.jar"
 
 java -jar "slave.jar"

--
Alioth's /srv/git/code.x2go.org/buildscripts.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/buildscripts.git

More information about the x2go-commits mailing list