Bug #75908

Respect ssl_verify_peer, ssl_verify_host and ssl_capath settings for curl requests not only in case of using curlProxyServer

Added by Petra Arentzen over 3 years ago. Updated over 1 year ago.

Status:
Rejected
Priority:
Should have
Category:
Backend API
Start date:
2016-04-25
Due date:
% Done:

0%

TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

In contrast to solution in #75038 I think the 'ssl_verify_*' option in configuration should be respected not only when option 'curlProxyServer' is set:

Index: typo3/sysext/core/Classes/Utility/GeneralUtility.php
<+>UTF-8
===================================================================
--- typo3/sysext/core/Classes/Utility/GeneralUtility.php    (revision )
+++ typo3/sysext/core/Classes/Utility/GeneralUtility.php    (revision )
@@ -2474,11 +2474,13 @@
             if (is_array($requestHeaders)) {
                 curl_setopt($ch, CURLOPT_HTTPHEADER, $requestHeaders);
             }
+
+            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_host']);
+            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']);
+
             // (Proxy support implemented by Arco <arco@appeltaart.mine.nu>)
             if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['curlProxyServer']) {
                 curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['TYPO3_CONF_VARS']['SYS']['curlProxyServer']);
-                curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_host']);
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, (bool)$GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']);
                 if ($GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_verify_peer']) {
                     if ($GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_cafile']) {
                         curl_setopt($ch, CURLOPT_CAINFO, $GLOBALS['TYPO3_CONF_VARS']['HTTP']['ssl_cafile']);

Reason:
It's an annoying problem in environments where a self signed certificate is used, e.G. while developing or testing. I guess many developers work with such a certificate. So they have to change core files for running code which uses GeneralUtility::getUrl() or switch back to http:, which in my case (and in surely in some others) also means to change .htaccess where https: is forced.


Related issues

Related to TYPO3 Core - Task #75038: Respect ssl_verify_peer, ssl_verify_host and ssl_capath settings for curl requests Closed 2016-03-13
Related to TYPO3 Core - Bug #77490: geturl stream context doesn't respect ssl_* settings Rejected 2016-08-12
Duplicated by TYPO3 Core - Bug #77489: curl: respect ssl_* settings without curlProxyServer=1 Closed 2016-08-12

History

#2 Updated by Gerrit Code Review about 3 years ago

  • Status changed from New to Under Review

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49861

#3 Updated by Alexander Opitz almost 3 years ago

  • Category set to Backend API
  • Assignee set to Petra Arentzen
  • Target version set to Candidate for patchlevel

Please provide the patch at first for master. It will get backported later on.

#4 Updated by Tobias Liebig almost 3 years ago

This bug does not relate to master as GeneralUtility::getUrl is completly refactored using Guzzle instead of cUrl.

@Alexander Opitz: could you please reconsider your -1 review?

#5 Updated by Gerrit Code Review over 2 years ago

Patch set 2 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49861

#6 Updated by Gerrit Code Review over 2 years ago

Patch set 3 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49861

#7 Updated by Gerrit Code Review over 2 years ago

Patch set 4 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49861

#8 Updated by Alexander Opitz over 1 year ago

  • Duplicated by Bug #77489: curl: respect ssl_* settings without curlProxyServer=1 added

#9 Updated by Alexander Opitz over 1 year ago

BTW: the CURLOPT_SSL_VERIFYHOST seams to be used wrong, it isn't a boolean value, it is an integer, See https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html

#10 Updated by Gerrit Code Review over 1 year ago

Patch set 5 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49861

#11 Updated by Gerrit Code Review over 1 year ago

Patch set 6 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/49861

#12 Updated by Christian Kuhn over 1 year ago

  • Status changed from Under Review to Rejected

Also available in: Atom PDF