This repository was archived by the owner on Jan 30, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 85
Add support to sslcafile and sslcapath to cURL adapter #97
Merged
ezimuel
merged 2 commits into
zendframework:develop
from
mlocati-forks:curladapter-ca-files
Jan 24, 2017
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking that we should check if CURLOPT_SSL_VERIFYPEER is false and in this case throw an Exception if we set
sslcafileorsslcapath. What do you think?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason to do that? I would do the opposite: avoid setting the
CURLOPT_CAINFOandCURLOPT_CAPATHcurl options ifCURLOPT_SSL_VERIFYPEERis false (that because I don't know how the underlying libcurl behaves in that case...)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea is to prevent setting CA if CURLOPT_SSL_VERIFYPEER is false. Basically we should allow setting CA only if CURLOPT_SSL_VERIFYPEER is true.
Reading here from the CURL manual, we can use CURLOPT_CAINFO and CURLOPT_CAPATH only if CURLOPT_SSL_VERIFYPEER is true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's exactly what I meant.
Instead of throwing an exception (like you suggested), I'd avoid setting
CURLOPT_CAINFOandCURLOPT_CAPATHifCURLOPT_SSL_VERIFYPEERis falseThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's better throwing an exception because we can prevent a potential security issue.
Let me explain, if CURLOPT_SSL_VERIFYPEER is false and someone set the CURLOPT_CAINFO/CAPATH values and we skip these settings, we will have successfully CURL calls without any evidence about the usage of CA. People can assume the usage of CA because of the successfully calls but the CA will be bypassed due to CURLOPT_SSL_VERIFYPEER .
Throwing an exception we can inform people about the correct usage of CA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about this alternative:
sslverifypeeris not set andCURLOPT_CAINFO/CAPATHare set, we assume thatsslverifypeeris truesslverifypeeris manually set to false, we don't considerCURLOPT_CAINFO/CAPATHThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CURLOPT_SSL_VERIFYPEER is true by default, so if
sslverifypeeris not set it's not a problem for CA. The issue comes ifsslverifypeeris set to false and we set CA. In this case I think we should throw an Exception, instead of a silent action as you proposed. This is a clear misuse of the component,with potential security implications.@mlocati why you are against using an Exception for this case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ezimuel Because I love to keep everything as simple as possible: if someone sets
sslverifypeerto false, he excepts thatCURLOPT_SSL_VERIFYPEERis set to false, for any value of the other parametersThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mlocati this is not the point, I don't want to change the behaviour of any settings. I would like to prevent wrong settings. Anyway, reading the CURLOPT_SSL_VERIFYPEER specification it seems that it works already as is. If it's false, the CA settings are not used anyway.
I think we can just leave the settings as you proposed without any extra check and exceptions. We should only remember to document this behaviour in the documentation.