Consolidate SSL bypass to single env var GRK_CURL_ALLOW_INSECURE

Grok Compression · Grok Compression · commit 95599722e34b · 2026-05-09T15:11:52.000-04:00
Remove GRK_HTTP_UNSAFESSL; use GRK_CURL_ALLOW_INSECURE everywhere.
Update launch.json, S3.md docs, S3Fetcher and CurlFetcher.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -102,7 +102,7 @@
                 { "name": "AWS_SECRET_ACCESS_KEY", "value": "minioadmin" },
                 { "name": "AWS_S3_ENDPOINT", "value": "https://minio.example.com:9000" },
                 { "name": "AWS_VIRTUAL_HOSTING", "value": "FALSE" },
-                { "name": "GRK_HTTP_UNSAFESSL", "value": "YES" }
+                { "name": "GRK_CURL_ALLOW_INSECURE", "value": "YES" }
             ],
             "MIMode": "gdb",
             "miDebuggerPath": "/usr/bin/gdb"
@@ -130,7 +130,7 @@
                 { "name": "AWS_SECRET_ACCESS_KEY", "value": "minioadmin" },
                 { "name": "AWS_S3_ENDPOINT", "value": "https://minio.example.com:9000" },
                 { "name": "AWS_VIRTUAL_HOSTING", "value": "FALSE" },
-                { "name": "GRK_HTTP_UNSAFESSL", "value": "YES" }
+                { "name": "GRK_CURL_ALLOW_INSECURE", "value": "YES" }
             ],
             "MIMode": "gdb",
             "miDebuggerPath": "/usr/bin/gdb"
@@ -528,7 +528,7 @@
                 { "name": "AWS_SECRET_ACCESS_KEY", "value": "minioadmin" },
                 { "name": "AWS_S3_ENDPOINT", "value": "https://minio.example.com:9000" },
                 { "name": "AWS_VIRTUAL_HOSTING", "value": "FALSE" },
-                { "name": "GRK_HTTP_UNSAFESSL", "value": "YES" }
+                { "name": "GRK_CURL_ALLOW_INSECURE", "value": "YES" }
             ],
             "MIMode": "gdb",
             "miDebuggerPath": "/usr/bin/gdb"
@@ -610,7 +610,7 @@
                 { "name": "AWS_SECRET_ACCESS_KEY", "value": "minioadmin" },
                 { "name": "AWS_S3_ENDPOINT", "value": "https://minio.example.com:9000" },
                 { "name": "AWS_VIRTUAL_HOSTING", "value": "FALSE" },
-                { "name": "GRK_HTTP_UNSAFESSL", "value": "YES" }
+                { "name": "GRK_CURL_ALLOW_INSECURE", "value": "YES" }
             ],
             "MIMode": "gdb",
             "miDebuggerPath": "/usr/bin/gdb"
@@ -809,7 +809,7 @@
                 { "name": "AWS_SECRET_ACCESS_KEY", "value": "minioadmin" },
                 { "name": "AWS_S3_ENDPOINT", "value": "https://minio.example.com:9000" },
                 { "name": "AWS_VIRTUAL_HOSTING", "value": "TRUE" },
-                { "name": "GRK_HTTP_UNSAFESSL", "value": "TRUE" },
+                { "name": "GRK_CURL_ALLOW_INSECURE", "value": "TRUE" },
             ],
             "cwd": "${workspaceFolder}",
             "MIMode": "gdb",
@@ -862,7 +862,7 @@
                 { "name": "AWS_SECRET_ACCESS_KEY", "value": "minioadmin" },
                 { "name": "AWS_S3_ENDPOINT", "value": "https://minio.example.com:9000" },
                 { "name": "AWS_VIRTUAL_HOSTING", "value": "FALSE" },
-                { "name": "GRK_HTTP_UNSAFESSL", "value": "TRUE" },
+                { "name": "GRK_CURL_ALLOW_INSECURE", "value": "TRUE" },
             ],
             "cwd": "${workspaceFolder}",
             "MIMode": "gdb",
diff --git a/doc/S3.md b/doc/S3.md
@@ -207,7 +207,6 @@ These variables are handled in the `auth()` method and apply to all S3 requests.
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `GRK_CURL_ALLOW_INSECURE` | `NO` | Disable SSL certificate verification |
-| `GRK_HTTP_UNSAFESSL` | `NO` | Disable SSL verification (inherited from CurlFetcher) |
 
 ### Timeouts
 
diff --git a/src/lib/core/stream/fetchers/CurlFetcher.h b/src/lib/core/stream/fetchers/CurlFetcher.h
@@ -561,9 +561,7 @@ class CurlFetcher : public IFetcher
 
   virtual void auth(CURL* curl)
   {
-    if(EnvVarManager::test_bool("GRK_HTTP_UNSAFESSL") ||
-       EnvVarManager::test_bool("GRK_CURL_ALLOW_INSECURE") ||
-       auth_.s3_allow_insecure_)
+    if(EnvVarManager::test_bool("GRK_CURL_ALLOW_INSECURE") || auth_.s3_allow_insecure_)
     {
       curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
       curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
diff --git a/src/lib/core/stream/fetchers/S3Fetcher.h b/src/lib/core/stream/fetchers/S3Fetcher.h
@@ -151,7 +151,6 @@ namespace grk
  * ║  HTTP / CURL CONFIGURATION                                              ║
  * ╠═══════════════════════════════════════════════════════════════════════════╣
  * ║  GRK_CURL_ALLOW_INSECURE           YES / NO — disable SSL verification  ║
- * ║  GRK_HTTP_UNSAFESSL                YES / NO — same (from CurlFetcher)   ║
  * ║  GRK_CURL_TIMEOUT                  Request timeout in seconds            ║
  * ║  GRK_CURL_CACHE_SIZE               Curl receive buffer size in bytes     ║
  * ║  GRK_CURL_NON_CACHED               Disable connection reuse for prefix   ║

Original file line number	Diff line number	Diff line change
`@@ -561,9 +561,7 @@ class CurlFetcher : public IFetcher`
`561`	`561`
`562`	`562`	`virtual void auth(CURL* curl)`
`563`	`563`	`{`
`564`		`- if(EnvVarManager::test_bool("GRK_HTTP_UNSAFESSL") \|\|`
`565`		`- EnvVarManager::test_bool("GRK_CURL_ALLOW_INSECURE") \|\|`
`566`		`- auth_.s3_allow_insecure_)`
	`564`	`+ if(EnvVarManager::test_bool("GRK_CURL_ALLOW_INSECURE") \|\| auth_.s3_allow_insecure_)`
`567`	`565`	`{`
`568`	`566`	`curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);`
`569`	`567`	`curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);`