Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
An idea that popped up in discussions on twitter.
- Loading branch information
Showing
1 changed file
with
10 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bagder Would that also block HTTPS without certificate/host verification? (which isn't cleartext per se, yet still may be in line with the intent of this new setting.)
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd say that is up for debate... maybe we could have the variable set different levels?
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That sounds good to me!
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a quick brain storming:
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO:
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might also be a good idea to have it both as an environment variable and as a CURLOPT: some systems allow setenv() to update the environment inherited by future children, but not for the current process. In this case, the process itself cannot enforce this protection for its own calls without something like a CURLOPT (I know: CURLOPT_* are for a single handle, but there currently exists no
curl_global_setopt()
)fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes that could indeed be considered. Programs do have CURLOPT_PROTOCOLS though as an option already, which isn't exactly the same as we're discussing here but can be used similarly.
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just looked through the code and it seems to be ok since AFAICS, authentication is always performed after STARTTLS.
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand why this is necessary, isn't protocol restriction enough? Where is the twitter thread I can't find it
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding the original (envvar) proposal my understanding is that it's a way to override insecure app configuration/code by users (who have the power to control envvars, e.g. on desktops/servers). Meaning, an existing app decided it's fine to use HTTP or not to verify the certificate for HTTPS, but in certain use-cases it's useful to override such decision and say that such uses are not accepted.
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exactly. This would allow a user to restrict what curl/libcurl is allowed to do even if the application otherwise is allowed to perform those insecure transfers.
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds like a libcurl rc. I would rather leave it to app developers, they have to know that their program is going to work or not.
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then you wouldn't set this variable. With the variable set, you can for example prevent scripts that use curl from using insecure protocols or you can set it in your shell to avoid things like "curl -O http://example.com/installer-bin" to work because you want that local policy. And the same then goes for programs using libcurl. With such a variable a user can insist on a higher bar, even if the makers of the tool doesn't.
fd9f207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I understand (now). I just disagree.