Task #75038: Respect ssl_verify_peer, ssl_verify_host and ssl_capath settings for curl requests - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Actions

Copy link

Task #75038

closed

Respect ssl_verify_peer, ssl_verify_host and ssl_capath settings for curl requests

Added by Daniel Maier over 8 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2016-03-13

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Sprint Focus:

Description

Currently curl-calls in GeneralUtility::getUrl don't respect the settings ssl_verify_peer, ssl_verify_host and from DefaultConfiguration.

As the TER mirror url (https://repositories.typo3.org) and others have been changed to HTTPS, calling them via curl behind a proxy without the above mentioned curl settings might result in an invalid SSL certificate verifaction, preventing the download.

This can be solved by adding the respecting CURLOPT settings CURLOPT_SSL_VERIFYPEER, CURLOPT_CAPATH and CURLOPT_SSL_VERIFYHOST

Related issues 1 (0 open — 1 closed)

Related to TYPO3 Core - Bug #75908: Respect ssl_verify_peer, ssl_verify_host and ssl_capath settings for curl requests not only in case of using curlProxyServer

Rejected

Petra Arentzen

2016-04-25

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Gerrit Code Review over 8 years ago

Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47234

Actions

Copy link

Updated by Stephan grass over 8 years ago

For me (TYPO3 7.6.4) the patch don't work.
I found a solution described here: http://stackoverflow.com/questions/35986024/cant-download-extensions-via-typo3-extension-manager
'Adding the line curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); directly after $ch = curl_init(); in curl.php and adding same line next to the other curl_setopt( ... ) in GeneralUtility.php solved this issue for typo3 7.6.4.'

I have also problems with TYPO3 6.2 LTS.
I think, this issue is "Must have".

Actions

Copy link

Updated by Gerrit Code Review over 8 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47464

Actions

Copy link

Updated by Daniel Maier over 8 years ago

Status changed from Under Review to Resolved
% Done changed from 0 to 100

Applied in changeset ed3353fbfa5de4c5cc3c3d34598fa061f0f27123.

Actions

Copy link

Updated by Petra Arentzen over 8 years ago

Why are the config options [HTTP][ssl_verify_*] only respected if ['SYS']['curlProxyServer'] is set?

This is an annoying problem in environments where a self signed certificate is used, e.G. while developing or testing. I guess most developers work with a self signed certificate. So they have to change core files for running code which uses GeneralUtility::getUrl() or switch back to http:, which in my case also means to .htaccess where https: is forced. This is really bad.

Shouldn't it be done like that? And if not why not?

Index: typo3/sysext/core/Classes/Utility/GeneralUtility.php
<+>UTF-8
===================================================================
--- typo3/sysext/core/Classes/Utility/GeneralUtility.php    (revision )
+++ typo3/sysext/core/Classes/Utility/GeneralUtility.php    (revision )
@@ -2474,11 +2474,13 @@
             if (is_array($requestHeaders)) {
                 curl_setopt($ch, CURLOPT_HTTPHEADER, $requestHeaders);
             }
+
+            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_host']);
+            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']);
+
             // (Proxy support implemented by Arco <arco@appeltaart.mine.nu>)
             if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['curlProxyServer']) {
                 curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['TYPO3_CONF_VARS']['SYS']['curlProxyServer']);
-                curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_host']);
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']);
                 if ($GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']) {
                     if ($GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_cafile']) {
                         curl_setopt($ch, CURLOPT_CAINFO, $GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_cafile']);

Actions

Copy link