Task #75038

Respect ssl_verify_peer, ssl_verify_host and ssl_capath settings for curl requests

Added by Daniel Maier over 3 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-03-13
Due date:
% Done:

100%

TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Currently curl-calls in GeneralUtility::getUrl don't respect the settings ssl_verify_peer, ssl_verify_host and from DefaultConfiguration.

As the TER mirror url (https://repositories.typo3.org) and others have been changed to HTTPS, calling them via curl behind a proxy without the above mentioned curl settings might result in an invalid SSL certificate verifaction, preventing the download.

This can be solved by adding the respecting CURLOPT settings CURLOPT_SSL_VERIFYPEER, CURLOPT_CAPATH and CURLOPT_SSL_VERIFYHOST


Related issues

Related to TYPO3 Core - Bug #75908: Respect ssl_verify_peer, ssl_verify_host and ssl_capath settings for curl requests not only in case of using curlProxyServer Rejected 2016-04-25

Associated revisions

Revision ed3353fb (diff)
Added by Daniel Maier over 3 years ago

[TASK] Respect ssl_verify_peer and ssl_verify_host in curl requests

Make GeneralUtility::getUrl aware of the settings ssl_verify_peer, ssl_verify_host,
ssl_cafile and ssl_capath from DefaultConfiguration.

This ensures that curl requests to https addresses (e.g. TER mirror url) are handled
correctly when tunneled through proxies, considering the specific configuration set
in the install tool.

Resolves: #75038
Releases: master, 7.6
Change-Id: I8f527d5d1b9609bcf3f0853153a2f53367492f24
Reviewed-on: https://review.typo3.org/47234
Reviewed-by: Andreas Fernandez <>
Reviewed-by: Xavier Perseguers <>
Reviewed-by: Oliver Hader <>
Reviewed-by: Benni Mack <>
Tested-by: Benni Mack <>
Reviewed-by: Christian Kuhn <>
Tested-by: Christian Kuhn <>

Revision 4f1ce412 (diff)
Added by Daniel Maier over 3 years ago

[TASK] Respect ssl_verify_peer and ssl_verify_host in curl requests

Make GeneralUtility::getUrl aware of the settings ssl_verify_peer, ssl_verify_host,
ssl_cafile and ssl_capath from DefaultConfiguration.

This ensures that curl requests to https addresses (e.g. TER mirror url) are handled
correctly when tunneled through proxies, considering the specific configuration set
in the install tool.

Resolves: #75038
Releases: master, 7.6
Change-Id: I8f527d5d1b9609bcf3f0853153a2f53367492f24
Reviewed-on: https://review.typo3.org/47464
Reviewed-by: Christian Kuhn <>
Tested-by: Christian Kuhn <>

History

#1 Updated by Gerrit Code Review over 3 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47234

#2 Updated by Stephan grass over 3 years ago

For me (TYPO3 7.6.4) the patch don't work.
I found a solution described here: http://stackoverflow.com/questions/35986024/cant-download-extensions-via-typo3-extension-manager
'Adding the line curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); directly after $ch = curl_init(); in curl.php and adding same line next to the other curl_setopt( ... ) in GeneralUtility.php solved this issue for typo3 7.6.4.'

I have also problems with TYPO3 6.2 LTS.
I think, this issue is "Must have".

#3 Updated by Gerrit Code Review over 3 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47464

#4 Updated by Daniel Maier over 3 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#5 Updated by Petra Arentzen over 3 years ago

Why are the config options [HTTP][ssl_verify_*] only respected if ['SYS']['curlProxyServer'] is set?

This is an annoying problem in environments where a self signed certificate is used, e.G. while developing or testing. I guess most developers work with a self signed certificate. So they have to change core files for running code which uses GeneralUtility::getUrl() or switch back to http:, which in my case also means to .htaccess where https: is forced. This is really bad.

Shouldn't it be done like that? And if not why not?

Index: typo3/sysext/core/Classes/Utility/GeneralUtility.php
<+>UTF-8
===================================================================
--- typo3/sysext/core/Classes/Utility/GeneralUtility.php    (revision )
+++ typo3/sysext/core/Classes/Utility/GeneralUtility.php    (revision )
@@ -2474,11 +2474,13 @@
             if (is_array($requestHeaders)) {
                 curl_setopt($ch, CURLOPT_HTTPHEADER, $requestHeaders);
             }
+
+            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_host']);
+            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']);
+
             // (Proxy support implemented by Arco <arco@appeltaart.mine.nu>)
             if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['curlProxyServer']) {
                 curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['TYPO3_CONF_VARS']['SYS']['curlProxyServer']);
-                curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_host']);
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']);
                 if ($GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']) {
                     if ($GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_cafile']) {
                         curl_setopt($ch, CURLOPT_CAINFO, $GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_cafile']);

#6 Updated by Petra Arentzen over 3 years ago

So I don't know if anybody regognizes notes on closed/resolved issues, I'll create a new issue

#7 Updated by Alexander Opitz over 1 year ago

  • Status changed from Resolved to Closed
  • TYPO3 Version changed from 8 to 7

This was for 7LTS only, but was only fixed in proxy use.
There is #75908 for curl non-proxy usage and #77490 for usage in stream context.

Also available in: Atom PDF