Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'Verify Peer' option not respected in Authentication - Gmail plugin #30624

Closed
wants to merge 3 commits into from
Closed

'Verify Peer' option not respected in Authentication - Gmail plugin #30624

wants to merge 3 commits into from

Conversation

SharkyKZ
Copy link
Contributor

@SharkyKZ SharkyKZ commented Sep 12, 2020
edited

Closes #30621.

Summary of Changes

Corrects data passed to JRegistry.

Testing Instructions

Review.

Documentation Changes Required

No.

@SharkyKZ SharkyKZ mentioned this pull request Sep 12, 2020
Closed
@PhilETaylor

This comment was marked as abuse.

Sign in to view
@PhilETaylor

This comment was marked as abuse.

Sign in to view
@richard67
Copy link
Member

Ping @SniperSister @zero-24 .

@HLeithner
Copy link
Member

Beside that fact that it is a bad idea to use no verification in production we also know that there are enough crape hosts out there with old certificate root.

Anyway the function exists so it should work. If we have 2 tests it can be merged. Removing this feature can be scheduled for j5

@richard67
Copy link
Member

richard67 commented Sep 13, 2020
edited

@HLeithner Any idea how it can be tested, beside code review?

@jiweigert
Copy link

I go with PhilETaylor,
having a now fixed function, which disables the verification of SSLCerts and haven't even worked when introduced,
is kinda silly.

It is fairly easy to setup a dev/localhost CA/ self-signed SSL cert, so verification could be done that way.

On production, there should be no way to disable the verification of SSL certs.

Hosts which are unmaintained and have old/ outdated SSL Certs have certainly more problems than just invalid SSL certs.
Those hosts should go offline anyway, just to secure the visitors of that site, or otherd because that host ist already hijacked.

But that's just my own 2c.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30624.

@richard67
Copy link
Member

Either way it has to be fixed: Fix the buggy function like this PR here does, or remove the buggy function. But leave it as it is should not be an option.

@HLeithner
Copy link
Member

@richard67 replace the root certificate for curl with an empty one should work

@zero-24 zero-24 deleted the branch joomla:staging August 8, 2021 20:08
@zero-24 zero-24 closed this Aug 8, 2021
@zero-24
Copy link
Contributor

zero-24 commented Aug 8, 2021

Dear @SharkyKZ

in preperation of the upcomming release of Joomla 3.10 we have used GitHubs rename feature to rename the staging branch into 3.10-dev. Usually GitHub moves all existing PRs towards the new branch just fine, but here it didnt work. The reason seems to be that the fork of the CMS that was used as base for this PR has been deleted so GitHub does no longer have a base to rebase the PR against the new branch and we are also not able to reopen the PR. For that reason GitHub closed this PR in my name, when this issue is still valid It would require a new PR against the new 3.10-dev or 4.0-dev branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[3][http] Joomla HTTP cannot connect to insecure https sites
7 participants
@SharkyKZ @PhilETaylor @richard67 @HLeithner @jiweigert @zero-24 @joomla-cms-bot