2 files changed, 41 insertions, 0 deletions
diff --git a/src/other_tools/utils/curl_easy_handle.cpp b/src/other_tools/utils/curl_easy_handle.cpp
index 87ef1520..837a9ad0 100644
--- a/src/other_tools/utils/curl_easy_handle.cpp
+++ b/src/other_tools/utils/curl_easy_handle.cpp
@@ -48,6 +48,13 @@ auto read_stream_data(gsl::not_null<std::FILE*> const& stream) noexcept
 }  // namespace
 
 auto CurlEasyHandle::Create() noexcept -> std::shared_ptr<CurlEasyHandle> {
+    return Create(false, std::nullopt);
+}
+
+auto CurlEasyHandle::Create(
+    bool no_ssl_verify,
+    std::optional<std::filesystem::path> const& ca_bundle) noexcept
+    -> std::shared_ptr<CurlEasyHandle> {
     try {
         auto curl = std::make_shared<CurlEasyHandle>();
         auto* handle = curl_easy_init();
@@ -55,6 +62,9 @@ auto CurlEasyHandle::Create() noexcept -> std::shared_ptr<CurlEasyHandle> {
             return nullptr;
         }
         curl->handle_.reset(handle);
+        // store CA info
+        curl->no_ssl_verify_ = no_ssl_verify;
+        curl->ca_bundle_ = ca_bundle;
         return curl;
     } catch (std::exception const& ex) {
         Logger::Log(LogLevel::Error,
@@ -114,6 +124,17 @@ auto CurlEasyHandle::DownloadToFile(
         // NOLINTNEXTLINE(cppcoreguidelines-pro-type-vararg, hicpp-vararg)
         curl_easy_setopt(handle_.get(), CURLOPT_STDERR, tmp_file);
 
+        // set SSL options
+        // NOLINTNEXTLINE(cppcoreguidelines-pro-type-vararg, hicpp-vararg)
+        curl_easy_setopt(handle_.get(),
+                         CURLOPT_SSL_VERIFYPEER,
+                         static_cast<int>(not no_ssl_verify_));
+        if (ca_bundle_) {
+            // NOLINTNEXTLINE(cppcoreguidelines-pro-type-vararg, hicpp-vararg)
+            curl_easy_setopt(
+                handle_.get(), CURLOPT_CAINFO, ca_bundle_->c_str());
+        }
+
         // perform download
         auto res = curl_easy_perform(handle_.get());
 
@@ -182,6 +203,17 @@ auto CurlEasyHandle::DownloadToString(std::string const& url) noexcept
         // NOLINTNEXTLINE(cppcoreguidelines-pro-type-vararg, hicpp-vararg)
         curl_easy_setopt(handle_.get(), CURLOPT_STDERR, tmp_file);
 
+        // set SSL options
+        // NOLINTNEXTLINE(cppcoreguidelines-pro-type-vararg, hicpp-vararg)
+        curl_easy_setopt(handle_.get(),
+                         CURLOPT_SSL_VERIFYPEER,
+                         static_cast<int>(not no_ssl_verify_));
+        if (ca_bundle_) {
+            // NOLINTNEXTLINE(cppcoreguidelines-pro-type-vararg, hicpp-vararg)
+            curl_easy_setopt(
+                handle_.get(), CURLOPT_CAINFO, ca_bundle_->c_str());
+        }
+
         // perform download
         auto res = curl_easy_perform(handle_.get());
 
diff --git a/src/other_tools/utils/curl_easy_handle.hpp b/src/other_tools/utils/curl_easy_handle.hpp
index 33bf462e..ea5989a1 100644
--- a/src/other_tools/utils/curl_easy_handle.hpp
+++ b/src/other_tools/utils/curl_easy_handle.hpp
@@ -49,6 +49,12 @@ class CurlEasyHandle {
     [[nodiscard]] auto static Create() noexcept
         -> std::shared_ptr<CurlEasyHandle>;
 
+    /// \brief Create a CurlEasyHandle object with non-default CA info
+    [[nodiscard]] auto static Create(
+        bool no_ssl_verify,
+        std::optional<std::filesystem::path> const& ca_bundle) noexcept
+        -> std::shared_ptr<CurlEasyHandle>;
+
     /// \brief Download file from URL into given file_path.
     /// Will perform cleanup (i.e., remove empty file) in case download fails.
     /// Returns 0 if successful.
@@ -68,6 +74,9 @@ class CurlEasyHandle {
         nullptr,
         curl_easy_closer};
 
+    bool no_ssl_verify_{false};
+    std::optional<std::filesystem::path> ca_bundle_{std::nullopt};
+
     /// \brief Overwrites write_callback to redirect to file instead of stdout.
     [[nodiscard]] auto static EasyWriteToFile(gsl::owner<char*> data,
                                               size_t size,