-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable CURLOPT_SSL_VERIFYPEER option #18
Comments
Any reason for this not to be implemented yet? |
It's not backward compatible because it possibly breaks existing installations. Therefore it's a feature for the next major release (2.0). |
I don't see how this will break existing installations, except for those that don't have a correct/complete/up-to-date certificate bundle. That's not so much breaking the installation of this repo as it is a poorly configured php/curl installation. The effect will be the same though and this is probably a good reason to wait for a major release. Or am I missing something here? |
You're right, but we cannot assume that the CA bundle is up to date everywhere. Enforcing certificate validation without shipping a current CA bundle will possibly break installations. |
Fair enough. How about a temporary fix, that won't break anything in existing installations, that will attempt to verify the certificate and will do the request without verification if it fails. Also it can be easily removed in a future release without breaking backwards compatibility. For testing purposes I've edited my
Suggested fixes:
|
CURLOPT_SSL_VERIFYPEER
shouldn't be set to false as this possibly weakens security.The text was updated successfully, but these errors were encountered: