Skip to content
This repository was archived by the owner on Nov 27, 2018. It is now read-only.

Commit 3c8b1b2

Browse files
jimdoescodejimdoescode
committed
Merge pull request #12 from cakoose/master
HTTPS security fixes: Use TLS instead of SSL v3; actually verify server certificate.
2 parents 1a00593 + 9af6a9a commit 3c8b1b2

File tree

2 files changed

+1400
-2
lines changed

2 files changed

+1400
-2
lines changed

libraries/Dropbox.php

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -477,9 +477,11 @@ private function _connect($url, $header, $request, $postdata = false, $destinati
477477
{
478478
$ch = curl_init($url);
479479
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC ) ;
480-
curl_setopt($ch, CURLOPT_SSLVERSION,3);
481-
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
480+
curl_setopt($ch, CURLOPT_SSLVERSION, 1); // Require TLS
481+
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
482482
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
483+
curl_setopt($ch, CURLOPT_CAINFO, __DIR__."/certs/trusted-certs.crt");
484+
curl_setopt($ch, CURLOPT_CAPATH, __DIR__."/certs/");
483485
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
484486
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $request);
485487
curl_setopt($ch, CURLOPT_HTTPHEADER, explode(self::LINE_END, $header));

0 commit comments

Comments
 (0)