Add enable_curl_server_cert_verification option

carlopi · carlopi · commit e12faac62455 · 2025-09-07T10:56:37.000+02:00
diff --git a/extension/httpfs/httpfs.cpp b/extension/httpfs/httpfs.cpp
@@ -48,6 +48,8 @@ unique_ptr<HTTPParams> HTTPFSUtil::InitializeParameters(optional_ptr<FileOpener>
 	FileOpener::TryGetCurrentSetting(opener, "http_retry_wait_ms", result->retry_wait_ms, info);
 	FileOpener::TryGetCurrentSetting(opener, "http_retry_backoff", result->retry_backoff, info);
 	FileOpener::TryGetCurrentSetting(opener, "http_keep_alive", result->keep_alive, info);
+	FileOpener::TryGetCurrentSetting(opener, "enable_curl_server_cert_verification", result->enable_curl_server_cert_verification,
+	                                 info);
 	FileOpener::TryGetCurrentSetting(opener, "enable_server_cert_verification", result->enable_server_cert_verification,
 	                                 info);
 	FileOpener::TryGetCurrentSetting(opener, "ca_cert_file", result->ca_cert_file, info);
diff --git a/extension/httpfs/httpfs_curl_client.cpp b/extension/httpfs/httpfs_curl_client.cpp
@@ -135,10 +135,12 @@ class HTTPFSCurlClient : public HTTPClient {
 			curl_easy_setopt(*curl, CURLOPT_FORBID_REUSE, 1L);
 		}
 
-		// client->enable_server_certificate_verification(http_params.enable_server_cert_verification);
-		if (http_params.enable_server_cert_verification) {
+		if (http_params.enable_curl_server_cert_verification) {
 			curl_easy_setopt(*curl, CURLOPT_SSL_VERIFYPEER, 1L);   // Verify the cert
 			curl_easy_setopt(*curl, CURLOPT_SSL_VERIFYHOST, 2L);   // Verify that the cert matches the hostname
+		} else {
+			curl_easy_setopt(*curl, CURLOPT_SSL_VERIFYPEER, 0L);   // Override default, don't verify the cert
+			curl_easy_setopt(*curl, CURLOPT_SSL_VERIFYHOST, 0L);   // Override default, don't verify that the cert matches the hostname
 		}
 
 		// set read timeout
diff --git a/extension/httpfs/httpfs_extension.cpp b/extension/httpfs/httpfs_extension.cpp
@@ -55,6 +55,7 @@ static void LoadInternal(ExtensionLoader &loader) {
 	    "http_keep_alive",
 	    "Keep alive connections. Setting this to false can help when running into connection failures",
 	    LogicalType::BOOLEAN, Value(true));
+	config.AddExtensionOption("enable_curl_server_cert_verification", "Enable server side certificate verification for CURL backend.", LogicalType::BOOLEAN, Value(true));
 	config.AddExtensionOption("enable_server_cert_verification", "Enable server side certificate verification.",
 	                          LogicalType::BOOLEAN, Value(false));
 	config.AddExtensionOption("ca_cert_file", "Path to a custom certificate file for self-signed certificates.",
diff --git a/extension/httpfs/include/httpfs_client.hpp b/extension/httpfs/include/httpfs_client.hpp
@@ -19,6 +19,7 @@ struct HTTPFSParams : public HTTPParams {
 
 	bool force_download = DEFAULT_FORCE_DOWNLOAD;
 	bool enable_server_cert_verification = DEFAULT_ENABLE_SERVER_CERT_VERIFICATION;
+	bool enable_curl_server_cert_verification = true;
 	idx_t hf_max_per_page = DEFAULT_HF_MAX_PER_PAGE;
 	string ca_cert_file;
 	string bearer_token;

Original file line number	Diff line number	Diff line change
`@@ -135,10 +135,12 @@ class HTTPFSCurlClient : public HTTPClient {`
`135`	`135`	`curl_easy_setopt(*curl, CURLOPT_FORBID_REUSE, 1L);`
`136`	`136`	`}`
`137`	`137`
`138`		`- // client->enable_server_certificate_verification(http_params.enable_server_cert_verification);`
`139`		`- if (http_params.enable_server_cert_verification) {`
	`138`	`+ if (http_params.enable_curl_server_cert_verification) {`
`140`	`139`	`curl_easy_setopt(*curl, CURLOPT_SSL_VERIFYPEER, 1L); // Verify the cert`
`141`	`140`	`curl_easy_setopt(*curl, CURLOPT_SSL_VERIFYHOST, 2L); // Verify that the cert matches the hostname`
	`141`	`+ } else {`
	`142`	`+ curl_easy_setopt(*curl, CURLOPT_SSL_VERIFYPEER, 0L); // Override default, don't verify the cert`
	`143`	`+ curl_easy_setopt(*curl, CURLOPT_SSL_VERIFYHOST, 0L); // Override default, don't verify that the cert matches the hostname`
`142`	`144`	`}`
`143`	`145`
`144`	`146`	`// set read timeout`