Allow disabling cert validation entirely

cmd/constants.go

@@ -38,6 +38,9 @@ const (
 	PreserveInfoFlag           = "preserve-info"
 	IsNFSProtocolFlag          = "nfs"
 	HardlinksFlag              = "hardlinks"
+
+	// root command flags
+	AllowInsecureCertificatesFlag = "allow-insecure-certs"
 )
 
 const (

cmd/root.go

@@ -21,6 +21,7 @@
 package cmd
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -342,6 +343,8 @@ func init() {
 	_ = rootCmd.PersistentFlags().MarkHidden("memory-profile")
 	rootCmd.PersistentFlags().BoolVar(&checkAzCopyUpdates, "check-version", false,
 		"Check if a newer AzCopy version is available.")
+	rootCmd.PersistentFlags().BoolVar(&common.AllowInsecureCerts, AllowInsecureCertificatesFlag, false, "Use in combination with a MITM proxy for debugging purposes")
+	_ = rootCmd.PersistentFlags().MarkHidden(AllowInsecureCertificatesFlag)
 }
 
 // always spins up a new goroutine, because sometimes the aka.ms URL can't be reached (e.g. a constrained environment where
@@ -397,6 +400,9 @@ func getGitHubLatestRemoteVersionWithURL(apiEndpoint string) (*Version, error) {
 		IdleConnTimeout:    30 * time.Second,
 		DisableCompression: true,  // GitHub API responses are small
 		DisableKeepAlives:  false, // Connections are reused
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: common.AllowInsecureCerts,
+		},
 	}
 
 	client := &http.Client{

common/oauthTokenManager.go

@@ -22,6 +22,7 @@ package common
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -87,6 +88,8 @@ func NewUserOAuthTokenManagerInstance(credCacheOptions CredCacheOptions) *UserOA
 	}
 }
 
+var AllowInsecureCerts bool
+
 func newAzcopyHTTPClient() *http.Client {
 	return &http.Client{
 		Transport: &http.Transport{
@@ -105,6 +108,9 @@ func newAzcopyHTTPClient() *http.Client {
 			DisableKeepAlives:      false,
 			DisableCompression:     true,
 			MaxResponseHeaderBytes: 0,
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: AllowInsecureCerts,
+			},
 			// ResponseHeaderTimeout:  time.Duration{},
 			// ExpectContinueTimeout:  time.Duration{},
 		},

ste/mgr-JobPartMgr.go

@@ -2,6 +2,7 @@ package ste
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"mime"
 	"net/http"
@@ -81,6 +82,7 @@ type IJobPartMgr interface {
 // 'ulimit -Hn' is low).
 func NewAzcopyHTTPClient(maxIdleConns int) *http.Client {
 	const concurrentDialsPerCpu = 10 // exact value doesn't matter too much, but too low will be too slow, and too high will reduce the beneficial effect on thread count
+
 	return &http.Client{
 		Transport: &http.Transport{
 			Proxy:                  common.GlobalProxyLookup,
@@ -93,6 +95,9 @@ func NewAzcopyHTTPClient(maxIdleConns int) *http.Client {
 			DisableKeepAlives:      false,
 			DisableCompression:     true, // must disable the auto-decompression of gzipped files, and just download the gzipped version. See https://github.com/Azure/azure-storage-azcopy/issues/374
 			MaxResponseHeaderBytes: 0,
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: common.AllowInsecureCerts,
+			},
 			// ResponseHeaderTimeout:  time.Duration{},
 			// ExpectContinueTimeout:  time.Duration{},
 		},

ste/performanceAdvisor.go

@@ -22,6 +22,7 @@ package ste
 
 import (
 	"bytes"
+	"crypto/tls"
 	"fmt"
 	"github.com/Azure/azure-storage-azcopy/v10/common"
 	"net/http"
@@ -346,6 +347,11 @@ func (p *PerformanceAdvisor) GetAdvice() []common.PerformanceAdvice {
 func (p *PerformanceAdvisor) getAzureVmSize() string {
 	client := &http.Client{
 		Timeout: time.Second * 3, // no point in waiting too long, since when it works, it will be almost instant
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: common.AllowInsecureCerts,
+			},
+		},
 	}
 
 	req, err := http.NewRequest("GET", "http://169.254.169.254/metadata/instance/compute/vmSize?api-version=2019-03-11&format=text", nil)