urls - add AIA support. needs python lib aia.

diff --git a/modules/urls.py b/modules/urls.py
index 5793adecea2c053a972ba4c902faab56e1ea6c7e..1dbb65e94490887fd47b74aea0892b23159333ac 100644 (file)
--- a/modules/urls.py
+++ b/modules/urls.py
@@ -38,6 +38,20 @@ else:
 
 import re, json, datetime
 
+try:
+       import aia
+       aia_session = aia.AIASession()
+       # aia is broken on capath systems, needs cafile to work
+       aia_session._context.load_verify_locations(cafile='/etc/ssl/certs/ca-certificates.crt')
+       aia_session._trusted = {
+               aia.openssl_get_cert_info(ca_der)["subject"]: ca_der
+               for ca_der in aia_session._context.get_ca_certs(True)
+       }
+       print("aia loaded")
+except ImportError as e:
+       print(repr(e))
+       aia = None
+
 hostmask_regex = re.compile(r'^(.*)!(.*)@(.*)$')
 
 def parser_hostmask(hostmask):
@@ -223,14 +237,13 @@ def _humanize_bytes(b):
        else:
                return "%.2f%siB" % (b, table[i])
 
-def goturl(url):
-       output = []
-       for _, group in other_regexes:
-               for regex in group:
-                       if regex.match(url):
-                               return None
+def _do_request(url, try_aia=False):
+       """Returns the HTTPResponse object, or a string on error"""
        request = urllib2.Request(url, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36'})
-       opener = urllib2.build_opener(SmartRedirectHandler())
+       if try_aia:
+               opener = urllib2.build_opener(urllib2.HTTPSHandler(context=aia_session.ssl_context_from_url(url)), SmartRedirectHandler())
+       else:
+               opener = urllib2.build_opener(SmartRedirectHandler())
 
        # Send request and handle errors
        try:
@@ -238,12 +251,33 @@ def goturl(url):
        except urllib2.HTTPError as e:
                return 'Request error: %s %s' % (e.code, e.reason)
        except urllib2.URLError as e:
-               return 'Request error: %s' % (e.reason)
+               if "certificate verify failed: unable to get local issuer certificate" in str(e.reason):
+                       if aia: # Retry with AIA enabled
+                               return _do_request(url, True)
+                       else:
+                               lib.parent.log('urls', '?', 'If the site is not serving the certificate chain, installing the aia library might make this request work: pip install aia')
+                               return 'Request error: site may have broken TLS configuration (%s)' % (e.reason)
+               else:
+                       return 'Request error: %s' % (e.reason)
        except TimeoutError as e:
                return 'Request error: request timed out'
        except Exception as e:
                return 'Unknown error: %s %r' % (type(e).__name__, e.args)
 
+       return response
+
+
+def goturl(url):
+       output = []
+       for _, group in other_regexes:
+               for regex in group:
+                       if regex.match(url):
+                               return None
+
+       response = _do_request(url)
+       if isinstance(response, stringbase):
+               return response
+
        # Try to add type and length headers to reply
        c_type = response.getheader('Content-Type', '').split(';', 1)[0]
        c_len = response.getheader('Content-Length')