Add support to sslcafile and sslcapath to cURL adapter #97
Conversation
| } | ||
| } | ||
|
|
||
| if (isset($this->config['sslcafile']) && $this->config['sslcafile']) { |
There was a problem hiding this comment.
I'm thinking that we should check if CURLOPT_SSL_VERIFYPEER is false and in this case throw an Exception if we set sslcafile or sslcapath. What do you think?
There was a problem hiding this comment.
Any reason to do that? I would do the opposite: avoid setting the CURLOPT_CAINFO and CURLOPT_CAPATH curl options if CURLOPT_SSL_VERIFYPEER is false (that because I don't know how the underlying libcurl behaves in that case...)
There was a problem hiding this comment.
The idea is to prevent setting CA if CURLOPT_SSL_VERIFYPEER is false. Basically we should allow setting CA only if CURLOPT_SSL_VERIFYPEER is true.
Reading here from the CURL manual, we can use CURLOPT_CAINFO and CURLOPT_CAPATH only if CURLOPT_SSL_VERIFYPEER is true.
There was a problem hiding this comment.
That's exactly what I meant.
Instead of throwing an exception (like you suggested), I'd avoid setting CURLOPT_CAINFO and CURLOPT_CAPATH if CURLOPT_SSL_VERIFYPEER is false
There was a problem hiding this comment.
I think it's better throwing an exception because we can prevent a potential security issue.
Let me explain, if CURLOPT_SSL_VERIFYPEER is false and someone set the CURLOPT_CAINFO/CAPATH values and we skip these settings, we will have successfully CURL calls without any evidence about the usage of CA. People can assume the usage of CA because of the successfully calls but the CA will be bypassed due to CURLOPT_SSL_VERIFYPEER .
Throwing an exception we can inform people about the correct usage of CA.
There was a problem hiding this comment.
What about this alternative:
- if
sslverifypeeris not set andCURLOPT_CAINFO/CAPATHare set, we assume thatsslverifypeeris true - if
sslverifypeeris manually set to false, we don't considerCURLOPT_CAINFO/CAPATH
There was a problem hiding this comment.
CURLOPT_SSL_VERIFYPEER is true by default, so if sslverifypeer is not set it's not a problem for CA. The issue comes if sslverifypeer is set to false and we set CA. In this case I think we should throw an Exception, instead of a silent action as you proposed. This is a clear misuse of the component,with potential security implications.
@mlocati why you are against using an Exception for this case?
There was a problem hiding this comment.
There was a problem hiding this comment.
@mlocati this is not the point, I don't want to change the behaviour of any settings. I would like to prevent wrong settings. Anyway, reading the CURLOPT_SSL_VERIFYPEER specification it seems that it works already as is. If it's false, the CA settings are not used anyway.
I think we can just leave the settings as you proposed without any extra check and exceptions. We should only remember to document this behaviour in the documentation.
So that people may easily see that they exist
mlocati
force-pushed
the
curladapter-ca-files
branch
from
912739c to
5194999
Compare
I'm going to do that.
Done.
Thanks to you! 😉 |
|
@mlocati I added the unit test and the documentation to the PR. Thanks for your contribution! |
2 participants
Socket adapter supports the options
sslcafileandsslcapath.What about supporting them in the cURL Adapter too?