Project

General

Profile

Actions

Feature #13367

closed

Use certificate trust store when verifying alias URLs

Added by Marcos M 2 months ago. Updated 26 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Aliases / Tables
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.11
Release Notes:
Default

Description

When the option Check certificate of aliases URLs is checked, it does not use the same trust store used when enabling Add this Certificate Authority to the Operating System Trust Store for a CA. This prevents the use of URLs with self-signed certs.


Related issues

Related to Bug #12737: CApath is not defined by default in curlNew

Actions
Actions #2

Updated by Marcos M 2 months ago

Patch:

diff --git a/src/etc/inc/pfsense-utils.inc b/src/etc/inc/pfsense-utils.inc
index e73cac78e0fbf7529a4349849a03419fc7e0a25e..d48014d829840ee02b0a839f5b2da4f5973dee54 100644
--- a/src/etc/inc/pfsense-utils.inc
+++ b/src/etc/inc/pfsense-utils.inc
@@ -2036,8 +2036,15 @@ function download_file($url, $destination, $verify_ssl = true, $connect_timeout

     $ch = curl_init();
     curl_setopt($ch, CURLOPT_URL, $url);
-    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $verify_ssl);
-    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify_ssl);
+    if ($verify_ssl) {
+        curl_setopt($ch, CURLOPT_CAPATH, "/etc/ssl/certs/");
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+    } else {
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYSTATUS, false);
+    }
     curl_setopt($ch, CURLOPT_FILE, $fp);
     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $connect_timeout);
     curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
@@ -2082,8 +2089,15 @@ function download_file_with_progress_bar($url, $destination, $verify_ssl = true,
      */
     $ch = curl_init();
     curl_setopt($ch, CURLOPT_URL, $url);
-    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $verify_ssl);
-    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify_ssl);
+    if ($verify_ssl) {
+        curl_setopt($ch, CURLOPT_CAPATH, "/etc/ssl/certs/");
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+    } else {
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYSTATUS, false);
+    }
     curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header');
     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
     curl_setopt($ch, CURLOPT_WRITEFUNCTION, $readbody);

Actions #3

Updated by Marcos M 2 months ago

  • Related to Bug #12737: CApath is not defined by default in curl added
Actions #4

Updated by Marcos M 2 months ago

  • Status changed from New to Pull Request Review
Actions #5

Updated by Marcos M 26 days ago

  • Status changed from Pull Request Review to Resolved

Merged.

Actions

Also available in: Atom PDF