[NETCURL-48] Network Library Hardening of Curl (SSL Certificates must be verified as default) - Tornevall Networks

XML

Word

Printable

Details

Type: Task
Status: Done (View Workflow)
Priority: Medium
Resolution: Done
Affects Version/s: None
Fix Version/s: 5.0.X
Component/s: MODULE_CURL
Labels:
None

Sprint:
TorneLIB 5.0.0 (Deprecated)

Description

Make sure the curl library is always verifying that the host is the host you want to talk to.

https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html

The discovery of this issue was made during the set up of ~~LIB-37~~, where we've added an extra ini_set to make sure that the ssl certificates can be adjusted if they're on a different location that the defaulting place (the discovery was basically that host and peer verification was not enabled in the defaults of the class).

From PHP 5.6 there is an implementation of openssl_get_cert_locations(), from where we can fetch a certficates current default location. This should normally be enough, but during historical tests we've discovered that for example Slackware 13 and older distributions did not have certificates stored in /etc/ssl/certs.

From now on, allowUnverifiedSSL must be set, to disable the peer/host verification if the https calls are failing as it is insecure to allow unverified peers.

Attachments

Issue Links

relates to

PHPCRYPTO-24 curl and networklib requires unit tests

Done

NETCURL-116 Throwable ini_set() not doable

Done

mentioned in: Page Loading...

Activity

People

Assignee:: Tomas Tornevall

Reporter:: Tomas Tornevall

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2017-02-10 10:05

Updated:: 2018-06-1 01:20

Resolved:: 2017-02-11 12:15