From 8eaf7e32c1f5fda11b3879fe912abad2c9af107c Mon Sep 17 00:00:00 2001
From: Rongrong <i@rong.moe>
Date: Mon, 5 Aug 2024 22:51:44 +0800
Subject: [PATCH] feat(web): new env var VERIFY_TLS (default: 1)

Fixes #498

Signed-off-by: Rongrong <i@rong.moe>
---
 .env.sample               | 1 +
 docker-compose.yml.sample | 1 +
 docs/CHANGELOG.md         | 4 ++++
 docs/CHANGELOG.zh.md      | 4 ++++
 docs/advanced-settings.md | 1 +
 src/compat.py             | 3 ---
 src/env.py                | 1 +
 src/web/req.py            | 9 ++++++---
 8 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/.env.sample b/.env.sample
index 1c68443588..6b01cf7df8 100644
--- a/.env.sample
+++ b/.env.sample
@@ -27,6 +27,7 @@ TELEGRAPH_TOKEN="
 #IMAGES_WESERV_NL=https://t0.nl/  # default: https://wsrv.nl/
 #USER_AGENT=Mozilla/5.0 (Android 12; Mobile; rv:68.0) Gecko/68.0 Firefox/96.0  # default: RSStT/2.x RSS Reader
 #IPV6_PRIOR=1  # default: 0
+#VERIFY_TLS=0  # default: 1
 #T_PROXY=socks5://172.17.0.1:1080  # Proxy used to connect to the Telegram API
 #R_PROXY=socks5://172.17.0.1:1080  # Proxy used to fetch feeds
 #PROXY_BYPASS_PRIVATE=1  # default: 0
diff --git a/docker-compose.yml.sample b/docker-compose.yml.sample
index ae2d2271a4..3e67610546 100644
--- a/docker-compose.yml.sample
+++ b/docker-compose.yml.sample
@@ -37,6 +37,7 @@ services:
       #- IMAGES_WESERV_NL=https://t0.nl/  # default: https://wsrv.nl/
       #- USER_AGENT=Mozilla/5.0 (Android 12; Mobile; rv:68.0) Gecko/68.0 Firefox/96.0  # default: RSStT/2.x RSS Reader
       #- IPV6_PRIOR=1  # default: 0
+      #- VERIFY_TLS=0  # default: 1
       #- T_PROXY=socks5://172.17.0.1:1080  # Proxy used to connect to the Telegram API
       #- R_PROXY=socks5://172.17.0.1:1080  # Proxy used to fetch feeds
       #- PROXY_BYPASS_PRIVATE=1  # default: 0
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index dd7ff7a0d7..a553458ce4 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Addition
+
+- **Disable TLS certificate verification**: The environment variable `VERIFY_TLS` has been added to disable (when set to `0`) or enable (when set to `1`, default) TLS certificate verification. This is useful when subscribing to feeds with their TLS misconfigured. Note: Disabling TLS certificate verification is not recommended and should only be used as a last resort.
+
 ### Enhancements
 
 - **Sanitize post title and author**: The title and author of a post (RSS item or Atom entry) are now sanitized to prevent unexpected formatting issues. In particular, unexpected whitespaces and linebreaks are removed, and any HTML elements are stripped. This helps display them correctly in Telegram messages as well as Telegraph posts.
diff --git a/docs/CHANGELOG.zh.md b/docs/CHANGELOG.zh.md
index 412a3f2e68..2667c5f67f 100644
--- a/docs/CHANGELOG.zh.md
+++ b/docs/CHANGELOG.zh.md
@@ -2,6 +2,10 @@
 
 ## 未发布
 
+### 新增功能
+
+- **关闭 TLS 证书验证**: 环境变量 `VERIFY_TLS` 已被添加以禁用 (设置为 `0` 时) 或启用 (设置为 `1` 时，默认) TLS 证书验证。当订阅 TLS 被错误配置的 feed 时，这很有用。注意：不建议禁用 TLS 证书验证，只应用作最后手段。
+
 ### 增强
 
 - **净化文章标题和作者**: 文章 (RSS item 或 Atom entry) 的标题和作者现在被净化以防止意外的格式问题。特别是，预期外的空格和换行符被移除，任何 HTML 元素都被剥离。这有助于在 Telegram 消息以及 Telegraph 文章中正确显示它们。
diff --git a/docs/advanced-settings.md b/docs/advanced-settings.md
index b3a86c45a1..c419916402 100644
--- a/docs/advanced-settings.md
+++ b/docs/advanced-settings.md
@@ -35,6 +35,7 @@
 | `PROXY_BYPASS_DOMAINS`      | Bypass proxy for listed domains                       | `example.com;example.net` [^1] |                             |
 | `USER_AGENT`                | User-Agent                                            | `Mozilla/5.0`                  | `RSStT/$VERSION RSS Reader` |
 | `IPV6_PRIOR`                | Enforce fetching feeds over IPv6 firstly or not? [^4] | `1`                            | `0`                         |
+| `VERIFY_TLS`                | Verify TLS certificate or not?                        | `0`                            | `1`                         |
 | `TRAFFIC_SAVING`            | Enable network traffic saving mode or not? [^5]       | `1`                            | `0`                         |
 | `LAZY_MEDIA_VALIDATION`     | Let Telegram DC to validate media or not? [^6]        | `1`                            | `0`                         |
 | `HTTP_TIMEOUT`              | HTTP request timeout in seconds                       | `60`                           | `12`                        |
diff --git a/src/compat.py b/src/compat.py
index 2541859120..6489d09ad3 100644
--- a/src/compat.py
+++ b/src/compat.py
@@ -80,9 +80,6 @@ async def __aexit__(self, exc_type, exc_value, traceback):
             self.transport.abort()
 
 
-# Reuse SSLContext as aiohttp does:
-# https://github.com/aio-libs/aiohttp/blob/b51610b93b2ae15c4062e3a1680a536ba5f4c5c4/aiohttp/connector.py#L906
-@functools.lru_cache(None)
 def ssl_create_default_context():
     """
     Python 3.10+ disabled some legacy cipher, while some websites still use them.
diff --git a/src/env.py b/src/env.py
index 396b25687a..cce2b9bfd3 100644
--- a/src/env.py
+++ b/src/env.py
@@ -292,6 +292,7 @@ def __get_version():
 PROXY_BYPASS_DOMAINS: Final = __list_parser(os.environ.get('PROXY_BYPASS_DOMAINS'))
 USER_AGENT: Final = os.environ.get('USER_AGENT') or f'RSStT/{__version__} RSS Reader'
 IPV6_PRIOR: Final = __bool_parser(os.environ.get('IPV6_PRIOR'))
+VERIFY_TLS: Final = __bool_parser(os.environ.get('VERIFY_TLS'), default_value=True)
 
 HTTP_TIMEOUT: Final = int(os.environ.get('HTTP_TIMEOUT') or 12)
 HTTP_CONCURRENCY: Final = int(os.environ.get('HTTP_CONCURRENCY') or 1024)
diff --git a/src/web/req.py b/src/web/req.py
index da77214728..3676a64122 100644
--- a/src/web/req.py
+++ b/src/web/req.py
@@ -40,6 +40,10 @@
 from ..errors_collection import RetryInIpv4
 from .utils import YummyCookieJar, WebResponse, proxy_filter, logger, sentinel
 
+# Reuse SSLContext as aiohttp does:
+# https://github.com/aio-libs/aiohttp/blob/f1e4213fb06634584f8d7a1eb90f5397736a18cc/aiohttp/connector.py#L959
+__SSL_CONTEXT: Final = ssl_create_default_context() if env.VERIFY_TLS else False
+
 DEFAULT_READ_BUFFER_SIZE: Final = 2 ** 16
 
 PROXY: Final = env.R_PROXY.replace('socks5h', 'socks5').replace('sock4a', 'socks4') if env.R_PROXY else None
@@ -209,11 +213,10 @@ async def _fetch():
 
         if retry_in_v4_flag or tries > MAX_TRIES:
             socket_family = AF_INET
-        ssl_context = ssl_create_default_context()
         proxy_connector = (
-            ProxyConnector.from_url(PROXY, family=socket_family, ssl=ssl_context)
+            ProxyConnector.from_url(PROXY, family=socket_family, ssl=__SSL_CONTEXT)
             if (PROXY and proxy_filter(host, parse=False))
-            else aiohttp.TCPConnector(family=socket_family, ssl=ssl_context)
+            else aiohttp.TCPConnector(family=socket_family, ssl=__SSL_CONTEXT)
         )
 
         try: