Skip to content
This repository

Wrong value set for CURLOPT_SSL_VERIFYHOST #58

Closed
wants to merge 1 commit into from

4 participants

Tomasz Muras Olivier Berger Joachim Fritschi Adam Franco
Tomasz Muras

CURLOPT_SSL_VERIFYHOST should be set to 2 not to 1.

From the libcurl documentation:

When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate that the
server is the server to which you meant to connect, or the connection fails.

Curl considers the server the intended one when the Common Name field or a
Subject Alternate Name field in the certificate matches the host name in the
URL to which you told Curl to connect.

When the value is 1, the certificate must contain a Common Name field, but it
doesn't matter what name it says. (This is not ordinarily a useful setting).

Thanks for ghedo from debian.org for reporting.

Olivier Berger

Have you been able to test the fix ?

What's the author's opinion on this change ?

Tomasz Muras

Hi, no I did not test the fix. It looks to me like a valid change based on the code review only.

Joachim Fritschi
Collaborator

The patch makes sense but there is an error in the patch and existing code in my view. The "else" an explicit "no verification of the SSL connection (cert/host)" that is requested by the user so it should be 0 for the HOST_VERIFY. I guess it's not used anyway and could simply be removed all together.

I also think we should have an option to only verify the SSL cert but skip the HOST verification.

Joachim Fritschi jfritschi referenced this pull request from a commit
Joachim Fritschi jfritschi #58 Enable full CN valdiation of SSL certifcate and create a manual user
override to disable it. The new default is a proper CN
validation.
aa00f35
Joachim Fritschi
Collaborator

I have commited a patch to fix this issue. I have tested the solution locally and it works.

The commit also includes an example how to fall back to the old (unsafe) implementation if necessary. The new default is a full CN validation of the SSL certificate.

Any feedback is welcome. The only "ugly" thing was changing the RequestInterface. Maybe @adamfranco has some ideas or opinions?

Adam Franco
Collaborator

Adding the optional parameter to the interface seems OK since in theory the extra validation should be done by any request-handling method, not just CURL. The only change needed is that I think the interface should define the parameter as optional to avoid PHP strict notices.

Joachim Fritschi
Collaborator

Done. I hope this is what you had in mind?

Adam Franco
Collaborator

Looks good. :-)

Joachim Fritschi
Collaborator

Thanks, this takes care of one of the open items on the release preparation list. I will add it to the changelog and release announcement.

Joachim Fritschi
Collaborator

I have added all the info to the docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 1 unique commit by 1 author.

Nov 25, 2012
Tomasz Muras tmuras Correct value for CURLOPT_SSL_VERIFYHOST (2 instead of 1). 0e8ad58
This page is out of date. Refresh to see the latest.

Showing 1 changed file with 2 additions and 2 deletions. Show diff stats Hide diff stats

  1. +2 2 source/CAS/Request/CurlRequest.php
4 source/CAS/Request/CurlRequest.php
@@ -117,12 +117,12 @@ private function _initAndConfigure()
117 117 * Set SSL configuration
118 118 *********************************************************/
119 119 if ($this->caCertPath) {
120   - curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
  120 + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
121 121 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
122 122 curl_setopt($ch, CURLOPT_CAINFO, $this->caCertPath);
123 123 phpCAS::trace('CURL: Set CURLOPT_CAINFO');
124 124 } else {
125   - curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
  125 + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
126 126 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
127 127 }
128 128

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.