From 964d13792b91223b2a184c111441673b35776f9c Mon Sep 17 00:00:00 2001 From: Mikael Nordfeldth Date: Thu, 22 Jan 2015 12:21:57 +0100 Subject: [PATCH] ssl_verify_host option in config (default is true) --- lib/default.php | 3 ++- lib/httpclient.php | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/default.php b/lib/default.php index 465a5142a3..b0d530bd4d 100644 --- a/lib/default.php +++ b/lib/default.php @@ -345,7 +345,8 @@ $default = 'maxurllength' => 100, 'maxnoticelength' => -1), 'http' => // HTTP client settings when contacting other sites - array('ssl_cafile' => false, // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt') + array('ssl_cafile' => false, // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt') (this activates "ssl_verify_peer") + 'ssl_verify_host' => true, // HTTPRequest2 makes sure this is set to CURLOPT_SSL_VERIFYHOST==2 if using curl 'curl' => false, // Use CURL backend for HTTP fetches if available. (If not, PHP's socket streams will be used.) 'proxy_host' => null, 'proxy_port' => null, diff --git a/lib/httpclient.php b/lib/httpclient.php index 960cd400f4..3e9f5d3ea7 100644 --- a/lib/httpclient.php +++ b/lib/httpclient.php @@ -145,6 +145,10 @@ class HTTPClient extends HTTP_Request2 $this->config['ssl_verify_peer'] = false; } + // This means "verify the cert hostname against what we connect to", it does not + // imply CA trust or anything like that. Just the hostname. + $this->config['ssl_verify_host'] = common_config('http', 'ssl_verify_host'); + if (common_config('http', 'curl') && extension_loaded('curl')) { $this->config['adapter'] = 'HTTP_Request2_Adapter_Curl'; }