This repository has been archived by the owner on Jul 24, 2023. It is now read-only.
Insecure HTTPS connections by default on certain systems #51
Comments
|
This repo is being archived. Closing issue. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
If cURL is not installed, HTTPS seems to be silently done using fsockopen, which does not check SSL certificates. IMHO, this should not happen automatically - if a user wants it to work in the insecure way (because curl is unavailable), the user should be required to set the manual override.
Additionally, the Auth_OpenID_VERIFY_HOST constant seems to be read but neither set nor documented anywhere. Thus, it seems that CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are never set by default. This would only be insecure with cURL versions before 7.10, and I do not know if any PHP5 was ever shipped with such an old version. However, in the current form, the code around Auth_OpenID_VERIFY_HOST makes little sense - either it should be enabled by default (or at least documented) to cover old cURL versions, or it can be removed if cURL >= 7.10 is assumed as it would only set the cURL defaults again. See also Issue #38 which suggests making it possible to override the defaults by setting VERIFY_HOST to false.
The text was updated successfully, but these errors were encountered: