allow insecure connections: -k / --insecure

help.c

@@ -233,6 +233,7 @@ void usage(const char *me)
 	format_help(NULL, "--timestamp / --ts", gettext("put a timestamp before the measured values, use -v to include the date and -vv to show in microseconds"));
 	format_help(NULL, "--aggregate x[,y[,z]]", gettext("show an aggregate each x[/y[/z[/etc]]] seconds"));
 #ifndef NO_SSL
+	format_help("-k", "--insecure", gettext("allow insecure server connections"));
 	format_help("-z", "--show-fingerprint", gettext("show fingerprint (SSL)"));
 	format_help(NULL, "--ca-path", gettext("path to ca certificates (SSL)"));
 #endif

main.c

@@ -970,6 +970,7 @@ int main(int argc, char *argv[])
 	struct addrinfo *ai_proxy = NULL, *ai_use_proxy = NULL;
 	char http2 = 0;
 	char use_median = 0;
+	char ignore_ssl_errors = 0;
 
 	static struct option long_options[] =
 	{
@@ -992,6 +993,7 @@ int main(int argc, char *argv[])
 		{"show-kb",	0, NULL, 'X' },
 		{"no-cache",	0, NULL, 'Z' },
 #ifndef NO_SSL
+		{"insecure",	0, NULL, 'k' },
 		{"use-ssl",	0, NULL, 'l' },
 		{"show-fingerprint",	0, NULL, 'z' },
 #endif
@@ -1068,7 +1070,7 @@ int main(int argc, char *argv[])
 
 	signal(SIGPIPE, SIG_IGN);
 
-	while((c = getopt_long(argc, argv, "2DKEA5MvYWT:ZQ6Sy:XL:bBg:h:p:c:i:Gx:t:o:e:falqsmV?I:R:rn:N:zP:U:C:F", long_options, NULL)) != -1)
+	while((c = getopt_long(argc, argv, "2DKEA5MvYWT:ZQ6Sy:XL:bBg:h:p:c:i:Gx:t:o:e:falqsmV?I:R:rn:N:zP:U:C:Fk", long_options, NULL)) != -1)
 	{
 		switch(c)
 		{
@@ -1358,6 +1360,10 @@ int main(int argc, char *argv[])
 				show_statuscodes = 1;
 				break;
 
+			case 'k':
+				ignore_ssl_errors = 1;
+				break;
+
 			case 'V':
 				version();
 				return 0;
@@ -1792,7 +1798,7 @@ int main(int argc, char *argv[])
 #ifndef NO_SSL
 				if (use_ssl && ssl_h == NULL)
 				{
-					int rc = connect_ssl(fd, client_ctx, &ssl_h, &s_bio, timeout, &ssl_handshake, hostname);
+					int rc = connect_ssl(fd, client_ctx, &ssl_h, &s_bio, timeout, &ssl_handshake, hostname, ignore_ssl_errors);
 					if (rc == 0)
 						update_statst(&t_ssl, ssl_handshake);
 					else

mssl.c

@@ -187,7 +187,7 @@ int WRITE_SSL(SSL *const ssl_h, const char *wherefrom, int len, const double tim
 	return cnt;
 }
 
-int connect_ssl(const int fd, SSL_CTX *const client_ctx, SSL **const ssl_h, BIO **const s_bio, const double timeout, double *const ssl_handshake, char *const hostname)
+int connect_ssl(const int fd, SSL_CTX *const client_ctx, SSL **const ssl_h, BIO **const s_bio, const double timeout, double *const ssl_handshake, char *const hostname, const char ignore_ssl_errors)
 {
 	double dstart = get_ts();
 	double end = get_ts() + timeout;
@@ -269,7 +269,7 @@ int connect_ssl(const int fd, SSL_CTX *const client_ctx, SSL **const ssl_h, BIO
 		set_error(gettext("SSL no peer certificate"));
 
 	long v = SSL_get_verify_result(*ssl_h);
-	if (v != X509_V_OK)
+	if (v != X509_V_OK && ignore_ssl_errors == 0)
 		set_error(gettext("SSL certificate validation failed: %s"), X509_verify_cert_error_string(v));
 
 	if (got_sigquit)

mssl.h

@@ -9,7 +9,7 @@ void shutdown_ssl(void);
 int close_ssl_connection(SSL *const ssl_h);
 int READ_SSL(SSL *const ssl_h, char *whereto, int len, const double timeout);
 int WRITE_SSL(SSL *const ssl_h, const char *whereto, int len, const double timeout);
-int connect_ssl(const int fd, SSL_CTX *const client_ctx, SSL **const ssl_h, BIO **const s_bio, const double timeout, double *const ssl_handshake, char *const hostname);
+int connect_ssl(const int fd, SSL_CTX *const client_ctx, SSL **const ssl_h, BIO **const s_bio, const double timeout, double *const ssl_handshake, char *const hostname, const char ignore_ssl_errors);
 SSL_CTX * initialize_ctx(const char ask_compression, const char *ca_path);
 char * get_fingerprint(SSL *const ssl_h);
 int connect_ssl_proxy(const int fd, struct addrinfo *const ai, const double timeout, const char *const proxy_user, const char *const proxy_password, const char *const hostname, const int portnr, char *const tfo);