Uploaded image for project: 'PHP_NETCURL'
  1. PHP_NETCURL
  2. NETCURL-48

Network Library Hardening of Curl (SSL Certificates must be verified as default)

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Done (View Workflow)
    • Priority: Medium
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 5.0.X
    • Component/s: MODULE_CURL
    • Labels:
      None
    • Sprint:
      TorneLIB 5.0.0 (Deprecated)

      Description

      Make sure the curl library is always verifying that the host is the host you want to talk to.

      https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html

      The discovery of this issue was made during the set up of LIB-37, where we've added an extra ini_set to make sure that the ssl certificates can be adjusted if they're on a different location that the defaulting place (the discovery was basically that host and peer verification was not enabled in the defaults of the class).

      From PHP 5.6 there is an implementation of openssl_get_cert_locations(), from where we can fetch a certficates current default location. This should normally be enough, but during historical tests we've discovered that for example Slackware 13 and older distributions did not have certificates stored in /etc/ssl/certs.

      From now on, allowUnverifiedSSL must be set, to disable the peer/host verification if the https calls are failing as it is insecure to allow unverified peers.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Tornevall Tomas Tornevall
              Reporter:
              Tornevall Tomas Tornevall
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration