Actions
Feature #13367
closed
Specify CA trust store location when downloading and validating URL alias content
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Description
When the option Check certificate of aliases URLs is checked, it does not use the same trust store used when enabling Add this Certificate Authority to the Operating System Trust Store for a CA. This prevents the use of URLs with self-signed certs.
Related issues
Updated by Marcos M over 2 years ago
Tested on 22.09 - works for me.
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/835
Updated by Marcos M over 2 years ago
Patch:
diff --git a/src/etc/inc/pfsense-utils.inc b/src/etc/inc/pfsense-utils.inc
index e73cac78e0fbf7529a4349849a03419fc7e0a25e..d48014d829840ee02b0a839f5b2da4f5973dee54 100644
--- a/src/etc/inc/pfsense-utils.inc
+++ b/src/etc/inc/pfsense-utils.inc
@@ -2036,8 +2036,15 @@ function download_file($url, $destination, $verify_ssl = true, $connect_timeout
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $verify_ssl);
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify_ssl);
+ if ($verify_ssl) {
+ curl_setopt($ch, CURLOPT_CAPATH, "/etc/ssl/certs/");
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+ } else {
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYSTATUS, false);
+ }
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $connect_timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
@@ -2082,8 +2089,15 @@ function download_file_with_progress_bar($url, $destination, $verify_ssl = true,
*/
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $verify_ssl);
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify_ssl);
+ if ($verify_ssl) {
+ curl_setopt($ch, CURLOPT_CAPATH, "/etc/ssl/certs/");
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+ } else {
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYSTATUS, false);
+ }
curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_WRITEFUNCTION, $readbody);
Updated by Marcos M over 2 years ago
- Related to Bug #12737: CA path is not defined when using ``curl`` in the shell added
Updated by Marcos M over 2 years ago
- Status changed from New to Pull Request Review
Updated by Jim Pingle about 2 years ago
- Plus Target Version changed from 22.11 to 23.01
Updated by Jim Pingle almost 2 years ago
- Subject changed from Use certificate trust store when verifying alias URLs to Validate certificates when downloading alias content from URLs
Updating subject for release notes.
Updated by Jim Pingle almost 2 years ago
- Subject changed from Validate certificates when downloading alias content from URLs to Specify CA trust store location when downloading and validating URL alias content
Updating subject for release notes again, last one was a bit off.
Though really this would affect anything using download_file() and download_file_with_progress_bar(), currently the only consumers of those functions in the base system is fetching URL alias content.
Actions