From 8fd9cbf91bb7190450531b25a3806c5b7f69744e Mon Sep 17 00:00:00 2001
From: Vratislav Podzimek <vpodzime@redhat.com>
Date: Tue, 17 May 2016 12:13:40 +0200
Subject: [PATCH 03/13] Do not verify SSL if inst.noverifyssl was given

inst.noverifyssl is a boot/cmdline option which should take precedence over
everything specified in the kickstart or UI.

Resolves: rhbz#1263257
---
 org_fedora_oscap/data_fetch.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/org_fedora_oscap/data_fetch.py b/org_fedora_oscap/data_fetch.py
index 21edd0f..7336025 100644
--- a/org_fedora_oscap/data_fetch.py
+++ b/org_fedora_oscap/data_fetch.py
@@ -9,8 +9,14 @@ import os
 import os.path
 import pycurl
 
+from pyanaconda.flags import flags as ana_flags
+
 from org_fedora_oscap import utils
 
+import logging
+log = logging.getLogger("anaconda")
+
+
 # everything else should be private
 __all__ = ["fetch_data", "can_fetch_from"]
 
@@ -150,8 +156,15 @@ def _fetch_http_ftp_data(url, out_file, ca_certs=None):
     if ca_certs and protocol == "https":
         # the strictest verification
         curl.setopt(pycurl.SSL_VERIFYHOST, 2)
+        curl.setopt(pycurl.SSL_VERIFYPEER, 1)
         curl.setopt(pycurl.CAINFO, ca_certs)
 
+    # may be turned off by flags (specified on command line, take precedence)
+    if ana_flags.noverifyssl:
+        log.warning("Disabling SSL verification due to the noverifyssl flag")
+        curl.setopt(pycurl.SSL_VERIFYHOST, 0)
+        curl.setopt(pycurl.SSL_VERIFYPEER, 0)
+
     try:
         with open(out_file, "w") as fobj:
             curl.setopt(pycurl.WRITEDATA, fobj)
-- 
2.5.5