Task #75038
closed
Respect ssl_verify_peer, ssl_verify_host and ssl_capath settings for curl requests
100%
Description
Currently curl-calls in GeneralUtility::getUrl don't respect the settings ssl_verify_peer, ssl_verify_host and from DefaultConfiguration.
As the TER mirror url (https://repositories.typo3.org) and others have been changed to HTTPS, calling them via curl behind a proxy without the above mentioned curl settings might result in an invalid SSL certificate verifaction, preventing the download.
This can be solved by adding the respecting CURLOPT settings CURLOPT_SSL_VERIFYPEER, CURLOPT_CAPATH and CURLOPT_SSL_VERIFYHOST
Updated by Gerrit Code Review over 8 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47234
Updated by Stephan grass over 8 years ago
For me (TYPO3 7.6.4) the patch don't work.
I found a solution described here: http://stackoverflow.com/questions/35986024/cant-download-extensions-via-typo3-extension-manager
'Adding the line curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); directly after $ch = curl_init(); in curl.php and adding same line next to the other curl_setopt( ... ) in GeneralUtility.php solved this issue for typo3 7.6.4.'
I have also problems with TYPO3 6.2 LTS.
I think, this issue is "Must have".
Updated by Gerrit Code Review over 8 years ago
Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47464
Updated by Daniel Maier over 8 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset ed3353fbfa5de4c5cc3c3d34598fa061f0f27123.
Updated by Petra Arentzen over 8 years ago
Why are the config options [HTTP][ssl_verify_*] only respected if ['SYS']['curlProxyServer'] is set?
This is an annoying problem in environments where a self signed certificate is used, e.G. while developing or testing. I guess most developers work with a self signed certificate. So they have to change core files for running code which uses GeneralUtility::getUrl() or switch back to http:, which in my case also means to .htaccess where https: is forced. This is really bad.
Shouldn't it be done like that? And if not why not?
Index: typo3/sysext/core/Classes/Utility/GeneralUtility.php
<+>UTF-8
===================================================================
--- typo3/sysext/core/Classes/Utility/GeneralUtility.php (revision )
+++ typo3/sysext/core/Classes/Utility/GeneralUtility.php (revision )
@@ -2474,11 +2474,13 @@
if (is_array($requestHeaders)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $requestHeaders);
}
+
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_host']);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']);
+
// (Proxy support implemented by Arco <arco@appeltaart.mine.nu>)
if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['curlProxyServer']) {
curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['TYPO3_CONF_VARS']['SYS']['curlProxyServer']);
- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_host']);
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']);
if ($GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']) {
if ($GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_cafile']) {
curl_setopt($ch, CURLOPT_CAINFO, $GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_cafile']);
Updated by Petra Arentzen over 8 years ago
So I don't know if anybody regognizes notes on closed/resolved issues, I'll create a new issue
Updated by Alexander Opitz over 6 years ago
- Status changed from Resolved to Closed
- TYPO3 Version changed from 8 to 7