Task #75038

Respect ssl_verify_peer, ssl_verify_host and ssl_capath settings for curl requests

Added by Daniel Maier over 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-03-13
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Currently curl-calls in GeneralUtility::getUrl don't respect the settings ssl_verify_peer, ssl_verify_host and from DefaultConfiguration.

As the TER mirror url (https://repositories.typo3.org) and others have been changed to HTTPS, calling them via curl behind a proxy without the above mentioned curl settings might result in an invalid SSL certificate verifaction, preventing the download.

This can be solved by adding the respecting CURLOPT settings CURLOPT_SSL_VERIFYPEER, CURLOPT_CAPATH and CURLOPT_SSL_VERIFYHOST


Related issues

Related to TYPO3 Core - Bug #75908: Respect ssl_verify_peer, ssl_verify_host and ssl_capath settings for curl requests not only in case of using curlProxyServerRejectedPetra Arentzen2016-04-25

Actions
#1

Updated by Gerrit Code Review over 4 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47234

#2

Updated by Stephan grass over 4 years ago

For me (TYPO3 7.6.4) the patch don't work.
I found a solution described here: http://stackoverflow.com/questions/35986024/cant-download-extensions-via-typo3-extension-manager
'Adding the line curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); directly after $ch = curl_init(); in curl.php and adding same line next to the other curl_setopt( ... ) in GeneralUtility.php solved this issue for typo3 7.6.4.'

I have also problems with TYPO3 6.2 LTS.
I think, this issue is "Must have".

#3

Updated by Gerrit Code Review over 4 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47464

#4

Updated by Daniel Maier over 4 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#5

Updated by Petra Arentzen over 4 years ago

Why are the config options [HTTP][ssl_verify_*] only respected if ['SYS']['curlProxyServer'] is set?

This is an annoying problem in environments where a self signed certificate is used, e.G. while developing or testing. I guess most developers work with a self signed certificate. So they have to change core files for running code which uses GeneralUtility::getUrl() or switch back to http:, which in my case also means to .htaccess where https: is forced. This is really bad.

Shouldn't it be done like that? And if not why not?

Index: typo3/sysext/core/Classes/Utility/GeneralUtility.php
<+>UTF-8
===================================================================
--- typo3/sysext/core/Classes/Utility/GeneralUtility.php    (revision )
+++ typo3/sysext/core/Classes/Utility/GeneralUtility.php    (revision )
@@ -2474,11 +2474,13 @@
             if (is_array($requestHeaders)) {
                 curl_setopt($ch, CURLOPT_HTTPHEADER, $requestHeaders);
             }
+
+            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_host']);
+            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']);
+
             // (Proxy support implemented by Arco <arco@appeltaart.mine.nu>)
             if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['curlProxyServer']) {
                 curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['TYPO3_CONF_VARS']['SYS']['curlProxyServer']);
-                curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_host']);
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']);
                 if ($GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']) {
                     if ($GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_cafile']) {
                         curl_setopt($ch, CURLOPT_CAINFO, $GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_cafile']);

#6

Updated by Petra Arentzen over 4 years ago

So I don't know if anybody regognizes notes on closed/resolved issues, I'll create a new issue

#7

Updated by Alexander Opitz over 2 years ago

  • Status changed from Resolved to Closed
  • TYPO3 Version changed from 8 to 7

This was for 7LTS only, but was only fixed in proxy use.
There is #75908 for curl non-proxy usage and #77490 for usage in stream context.

Also available in: Atom PDF