Uploaded image for project: 'PHP_NETCURL'
  1. PHP_NETCURL
  2. NETCURL-48

Network Library Hardening of Curl (SSL Certificates must be verified as default)

    XMLWordPrintable

Details

    • Task
    • Status: Done (View Workflow)
    • Medium
    • Resolution: Done
    • None
    • 5.0.X
    • MODULE_CURL
    • None
    • TorneLIB 5.0.0 (Deprecated)

    Description

      Make sure the curl library is always verifying that the host is the host you want to talk to.

      https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html

      The discovery of this issue was made during the set up of LIB-37, where we've added an extra ini_set to make sure that the ssl certificates can be adjusted if they're on a different location that the defaulting place (the discovery was basically that host and peer verification was not enabled in the defaults of the class).

      From PHP 5.6 there is an implementation of openssl_get_cert_locations(), from where we can fetch a certficates current default location. This should normally be enough, but during historical tests we've discovered that for example Slackware 13 and older distributions did not have certificates stored in /etc/ssl/certs.

      From now on, allowUnverifiedSSL must be set, to disable the peer/host verification if the https calls are failing as it is insecure to allow unverified peers.

      Attachments

        Issue Links

          Activity

            People

              tornevall tornevall
              tornevall tornevall
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.