From dcd1c3b8867302f034edf841d4c0d23e02266223 Mon Sep 17 00:00:00 2001
From: kn <kn@openbsd.org>
Date: Sun, 24 Oct 2021 10:11:24 +0000
Subject: [PATCH] Fall back to HTTP for fetching automatically

Drop the "Unable to connect using https. Use http instead?" question as it
does not provide any security benefit;  SHA256.sig is used to verify sets.

Do provide an informative message iff the fallback happened such that
installations/upgrades that cannot Get/Verify first but Install directly
can be aborted in lack of SHA256.sig, i.e. sets were fetched over HTTP and
verification would be skipped.

Discussed with deraadt tb
OK deraadt
---
 distrib/miniroot/install.sub | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub
index be4cb51e38c..f746d6ce772 100644
--- a/distrib/miniroot/install.sub
+++ b/distrib/miniroot/install.sub
@@ -1,5 +1,5 @@
 #!/bin/ksh
-#	$OpenBSD: install.sub,v 1.1181 2021/10/23 14:49:06 kn Exp $
+#	$OpenBSD: install.sub,v 1.1182 2021/10/24 10:11:24 kn Exp $
 #
 # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback
 # Copyright (c) 2015, Robert Peichaer <rpe@openbsd.org>
@@ -1867,8 +1867,7 @@ install_http() {
 		case $_tls in
 		force)	$AI && exit 1 || return
 			;;
-		try)	ask_yn "Unable to connect using https. Use http instead?" ||
-				return
+		try)	echo "Unable to connect using HTTPS; using HTTP instead."
 			_http_proto=http
 			_url_base="http://$HTTP_SERVER/$HTTP_DIR"
 			unpriv -f $_sig ftp -vMo $_sig "$_url_base/SHA256.sig" \
-- 
2.20.1