Allow disabling of ssl certificate checks.

config/linkcheckerrc

@@ -172,6 +172,9 @@
 #localwebroot=/var/www/
 # Windows example:
 #localwebroot=/C|/public_html/
+# Check SSL certificates. Set to an absolute pathname for a custom
+# CA cert bundle to use. Set to zero to disable SSL certificate verification.
+#sslverify=1
 # Check that SSL certificates are at least the given number of days valid.
 # The number must not be negative.
 # If the number of days is zero a warning is printed only for certificates

doc/changelog.txt

@@ -8,6 +8,9 @@ Changes:
 - checking: Always use the W3C validator to check HTML or CSS syntax.
 - checking: Remove the http-wrong-redirect warning.
 - checking: Remove the url-content-duplicate warning.
+- checking: Make SSL certificate verificate optional and allow
+  user-specified certificate files.
+  Closes: GH bug #387
 - cmdline: Replace argument parsing. No changes in functionality, only
   the help text will be formatted different.
 - gui: Check early if help files are not found.

doc/de/linkcheckerrc.5

@@ -132,6 +132,14 @@ Anzahl von Bytes übersteigt.
 .br
 Kommandozeilenoption: \fB\-\-warning\-size\-bytes\fP
 .TP 
+\fBsslverify=\fP[\fB0\fP|\fB1\fP|\fIdateiname\fP]
+Falls der Wert Null ist werden SSL Zertifikate nicht überprüft. Falls er auf
+Eins gesetzt wird (der Standard) werden SSL Zertifikate mit der gelieferten
+CA Zertifikatsdatei geprüft. Falls ein Dateiname angegeben ist wird dieser
+zur Prüfung verwendet.
+.br
+Kommandozeilenoption: keine
+.TP 
 \fBwarnsslcertdaysvalid=\fP\fINUMBER\fP
 Prüfe ob SSL\-Zertifikate mindestens die angegebene Anzahl an Tagen gültig
 sind. Die Anzahl darf nicht negativ sein. Falls die Anzahl Null ist wird

doc/en/linkcheckerrc.5

@@ -124,6 +124,14 @@ number of \fIbytes\fP.
 .br
 Command line option: \fB\-\-warning\-size\-bytes\fP
 .TP
+\fBsslverify=\fP[\fB0\fP|\fB1\fP|\fIfilename\fP]
+If set to zero disables SSL certificate checking.
+If set to one (the default) enables SSL certificate checking with
+the provided CA certificate file. If a filename is specified, it
+will be used as the certificate file.
+.br
+Command line option: none
+.TP
 \fBwarnsslcertdaysvalid=\fP\fINUMBER\fP
 Check that SSL certificates are at least the given number of days valid.
 The number must not be negative.

linkcheck/checker/httpsurl.py

@@ -52,8 +52,6 @@ class HttpsUrl (httpurl.HttpUrl):
         cert = ssl_sock.getpeercert()
         log.debug(LOG_CHECK, "Got SSL certificate %s", cert)
         if not cert:
-            msg = _('empty or no certificate found')
-            self.add_ssl_warning(ssl_sock, msg)
             return
         if 'subject' in cert:
             self.check_ssl_hostname(ssl_sock, cert, host)

linkcheck/checker/httpurl.py

@@ -639,7 +639,12 @@ class HttpUrl (internpaturl.InternPatternUrl, proxysupport.ProxySupport, pooledc
                 h = httplib.HTTPConnection(host, **kwargs)
             elif scheme == "https" and supportHttps:
                 devel_dir = os.path.join(configuration.configdata.install_data, "config")
-                kwargs["ca_certs"] = configuration.get_share_file(devel_dir, 'ca-certificates.crt')
+                sslverify = self.aggregate.config["sslverify"]
+                if sslverify:
+                    if sslverify is not True:
+                        kwargs["ca_certs"] = sslverify
+                    else:
+                        kwargs["ca_certs"] = configuration.get_share_file(devel_dir, 'ca-certificates.crt')
                 h = httplib.HTTPSConnection(host, **kwargs)
             else:
                 msg = _("Unsupported HTTP url scheme `%(scheme)s'") % {"scheme": scheme}

linkcheck/configuration/__init__.py

@@ -169,6 +169,7 @@ class Configuration (dict):
         self["useragent"] = UserAgent
         self["debugmemory"] = False
         self["localwebroot"] = None
+        self["sslverify"] = True
         self["warnsslcertdaysvalid"] = 14
         self["maxrunseconds"] = None
         self["maxnumurls"] = None

linkcheck/configuration/confparse.py

@@ -1,5 +1,5 @@
 # -*- coding: iso-8859-1 -*-
-# Copyright (C) 2000-2012 Bastian Kleineidam
+# Copyright (C) 2000-2013 Bastian Kleineidam
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -167,6 +167,10 @@ class LCConfigParser (ConfigParser.RawConfigParser, object):
                 self.getboolean(section, "cookies")
         self.read_string_option(section, "cookiefile")
         self.read_string_option(section, "localwebroot")
+        try:
+            self.read_boolean_option(section, "sslverify")
+        except ValueError:
+            self.read_string_option(section, "sslverify")
         self.read_int_option(section, "warnsslcertdaysvalid", min=1)
         self.read_int_option(section, "maxrunseconds", min=0)
 

tests/configuration/data/config0.ini

@@ -13,6 +13,7 @@ useragent=Example/0.0
 pause=99
 debugmemory=1
 localwebroot=foo
+sslverify=/path/to/cacerts.crt
 warnsslcertdaysvalid=99
 
 [filtering]

tests/configuration/test_config.py

@@ -53,6 +53,7 @@ class TestConfig (unittest.TestCase):
         self.assertEqual(config["wait"], 99)
         self.assertEqual(config["debugmemory"], 1)
         self.assertEqual(config["localwebroot"], "foo")
+        self.assertEqual(config["sslverify"], "/path/to/cacerts.crt")
         self.assertEqual(config["warnsslcertdaysvalid"], 99)
         # filtering section
         patterns = [x["pattern"].pattern for x in config["externlinks"]]