https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162022-07-19T18:11:07ZpfSense bugtrackerpfSense - Feature #13367: Specify CA trust store location when downloading and validating URL alias contenthttps://redmine.pfsense.org/issues/13367?journal_id=622982022-07-19T18:11:07ZMarcos M
<ul></ul><p>Tested on 22.09 - works for me.<br /><a class="external" href="https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/835">https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/835</a></p> pfSense - Feature #13367: Specify CA trust store location when downloading and validating URL alias contenthttps://redmine.pfsense.org/issues/13367?journal_id=622992022-07-19T18:12:16ZMarcos M
<ul></ul><p>Patch:<br /><pre>
diff --git a/src/etc/inc/pfsense-utils.inc b/src/etc/inc/pfsense-utils.inc
index e73cac78e0fbf7529a4349849a03419fc7e0a25e..d48014d829840ee02b0a839f5b2da4f5973dee54 100644
--- a/src/etc/inc/pfsense-utils.inc
+++ b/src/etc/inc/pfsense-utils.inc
@@ -2036,8 +2036,15 @@ function download_file($url, $destination, $verify_ssl = true, $connect_timeout
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $verify_ssl);
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify_ssl);
+ if ($verify_ssl) {
+ curl_setopt($ch, CURLOPT_CAPATH, "/etc/ssl/certs/");
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+ } else {
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYSTATUS, false);
+ }
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $connect_timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
@@ -2082,8 +2089,15 @@ function download_file_with_progress_bar($url, $destination, $verify_ssl = true,
*/
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $verify_ssl);
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify_ssl);
+ if ($verify_ssl) {
+ curl_setopt($ch, CURLOPT_CAPATH, "/etc/ssl/certs/");
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+ } else {
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYSTATUS, false);
+ }
curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_WRITEFUNCTION, $readbody);
</pre></p> pfSense - Feature #13367: Specify CA trust store location when downloading and validating URL alias contenthttps://redmine.pfsense.org/issues/13367?journal_id=623022022-07-19T18:16:33ZMarcos M
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-3 priority-4 priority-default closed" href="/issues/12737">Bug #12737</a>: CA path is not defined when using ``curl`` in the shell</i> added</li></ul> pfSense - Feature #13367: Specify CA trust store location when downloading and validating URL alias contenthttps://redmine.pfsense.org/issues/13367?journal_id=623032022-07-19T18:26:18ZMarcos M
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Pull Request Review</i></li></ul> pfSense - Feature #13367: Specify CA trust store location when downloading and validating URL alias contenthttps://redmine.pfsense.org/issues/13367?journal_id=627422022-08-31T18:17:02ZMarcos M
<ul><li><strong>Status</strong> changed from <i>Pull Request Review</i> to <i>Resolved</i></li></ul><p>Merged.</p> pfSense - Feature #13367: Specify CA trust store location when downloading and validating URL alias contenthttps://redmine.pfsense.org/issues/13367?journal_id=631862022-10-11T14:41:00ZJim Pingle
<ul><li><strong>Plus Target Version</strong> changed from <i>22.11</i> to <i>23.01</i></li></ul> pfSense - Feature #13367: Specify CA trust store location when downloading and validating URL alias contenthttps://redmine.pfsense.org/issues/13367?journal_id=642992022-12-07T12:06:33ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>Use certificate trust store when verifying alias URLs</i> to <i>Validate certificates when downloading alias content from URLs</i></li></ul><p>Updating subject for release notes.</p> pfSense - Feature #13367: Specify CA trust store location when downloading and validating URL alias contenthttps://redmine.pfsense.org/issues/13367?journal_id=643012022-12-07T12:11:37ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>Validate certificates when downloading alias content from URLs</i> to <i>Specify CA trust store location when downloading and validating URL alias content</i></li></ul><p>Updating subject for release notes again, last one was a bit off.</p>
<p>Though really this would affect anything using download_file() and download_file_with_progress_bar(), currently the only consumers of those functions in the base system is fetching URL alias content.</p>