Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure curl / https usage #40

Open
notr1ch opened this issue Sep 4, 2014 · 0 comments
Open

Insecure curl / https usage #40

notr1ch opened this issue Sep 4, 2014 · 0 comments

Comments

@notr1ch
Copy link

notr1ch commented Sep 4, 2014

The library appears to explicitly disable curl's SSL peer/host checks when a certificate file is not provided in executeRequest:

        // https handling
        if (!empty($this->certificate_file)) {
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
            curl_setopt($ch, CURLOPT_CAINFO, $this->certificate_file);
        } else {
            // bypass ssl verification
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
        }

This is insecure as it opens the user to a MITM attack and negates the point of using SSL. By default if CURLOPT_CAINFO is not set, curl uses the system CA bundle to verify certificates, so enabling the host and peer verification only when a manual certificate file is specified is incorrect and reduces security.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@notr1ch