From e18728e8b1b3d682ea712bfba592cc9745ac9fb9 Mon Sep 17 00:00:00 2001
From: VVX7 <info@vvx7.io>
Date: Wed, 2 Oct 2019 13:35:12 -0400
Subject: [PATCH] chg: [authentication] enforce session ssl

---
 config/config.cfg.default | 2 +-
 server.py                 | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/config/config.cfg.default b/config/config.cfg.default
index 615f0d6..ec9d131 100644
--- a/config/config.cfg.default
+++ b/config/config.cfg.default
@@ -5,7 +5,7 @@ debug = False
 
 [Auth]
 misp_fqdn = "https://misp.local"
-
+ssl_verify = True
 
 [Dashboard]
 #hours
diff --git a/server.py b/server.py
index bcc7b79..60de476 100755
--- a/server.py
+++ b/server.py
@@ -34,6 +34,7 @@ server_host = cfg.get("Server", "host")
 server_port = cfg.getint("Server", "port")
 server_debug = cfg.get("Server", "debug")
 auth_host = cfg.get("Auth", "misp_fqdn")
+auth_ssl_verify = cfg.get("Auth", "ssl_verify")
 
 app = Flask(__name__)
 
@@ -94,7 +95,7 @@ class User(UserMixin):
 
         misp_login_page = auth_host + "/users/login"
         session = requests.Session()
-        session.verify = True
+        session.verify = auth_ssl_verify
 
         # The login page contains hidden form values required for authenticaiton.
         login_page = session.get(misp_login_page)