sub new {
my ($class, %param) = @_;
- my $ssl_default_opts = { verify_hostname => 0 };
- my $ssl_opts = $param{ssl_opts} || $ssl_default_opts;
+ my $ssl_opts = $param{ssl_opts} || {};
+ if (!defined($ssl_opts->{verify_hostname})) {
+ if (scalar(keys $param{cached_fingerprints}->%*) > 0) {
+ # purely trust the configured fingerprints, by default
+ $ssl_opts->{verify_hostname} = 0;
+ } else {
+ # no fingerprints passed, enforce hostname verification, by default
+ $ssl_opts->{verify_hostname} = 1;
+ }
+ }
# we can only really trust openssl result if it also verifies the hostname,
# else it's easy to intercept (MITM using valid Lets Encrypt)
my $trust_openssl = $ssl_opts->{verify_hostname} ? 1 : 0;
$self->{port} = $self->{host} eq 'localhost' ? 85 : 8006;
}
if (!$self->{protocol}) {
- $self->{protocol} = $self->{host} eq 'localhost' ? 'http' : 'https';
+ # cope that PBS and PVE can be installed on the same host, and one may thus use
+ # 'localhost' then - so only default to http for privileged ports, in that case,
+ # as the HTTP daemons normally run with those (e.g., 85 or 87)
+ $self->{protocol} = $self->{host} eq 'localhost' && $self->{port} < 1024
+ ? 'http'
+ : 'https'
+ ;
}
$self->{useragent} = LWP::UserAgent->new(