# HG changeset patch
# User Jonas Schäfer <jonas@wielicki.name>
# Date 1630242287 -7200
# Node ID 83d6d6a70edfe5d72bb3e55b0bb27f7ee8f2d92c
# Parent  9f723b54e1111bceb1eef64b8c3358adfa0504a1
net.http: fail open if surrounding code does not configure TLS

Previously, if surrounding code was not configuring the TLS context
used default in net.http, it would not validate certificates at all.

This is not a security issue with prosody, because prosody updates the
context with `verify = "peer"` as well as paths to CA certificates in
util.startup.init_http_client.

Nevertheless... Let's not leave this pitfall out there in the open.

diff -r 9f723b54e111 -r 83d6d6a70edf net/http.lua
--- a/net/http.lua	Thu Aug 26 16:42:42 2021 +0100
+++ b/net/http.lua	Sun Aug 29 15:04:47 2021 +0200
@@ -332,7 +332,7 @@
 end
 
 local default_http = new({
-	sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" }, alpn = "http/1.1" };
+	sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" }, alpn = "http/1.1", verify = "peer" };
 	suppress_errors = true;
 });