Project

General

Profile

Actions

Feature #13367

closed

Specify CA trust store location when downloading and validating URL alias content

Added by Marcos M over 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Aliases / Tables
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default

Description

When the option Check certificate of aliases URLs is checked, it does not use the same trust store used when enabling Add this Certificate Authority to the Operating System Trust Store for a CA. This prevents the use of URLs with self-signed certs.


Related issues

Related to Bug #12737: CA path is not defined when using ``curl`` in the shellResolvedJim Pingle

Actions
Actions #2

Updated by Marcos M over 2 years ago

Patch:

diff --git a/src/etc/inc/pfsense-utils.inc b/src/etc/inc/pfsense-utils.inc
index e73cac78e0fbf7529a4349849a03419fc7e0a25e..d48014d829840ee02b0a839f5b2da4f5973dee54 100644
--- a/src/etc/inc/pfsense-utils.inc
+++ b/src/etc/inc/pfsense-utils.inc
@@ -2036,8 +2036,15 @@ function download_file($url, $destination, $verify_ssl = true, $connect_timeout

     $ch = curl_init();
     curl_setopt($ch, CURLOPT_URL, $url);
-    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $verify_ssl);
-    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify_ssl);
+    if ($verify_ssl) {
+        curl_setopt($ch, CURLOPT_CAPATH, "/etc/ssl/certs/");
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+    } else {
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYSTATUS, false);
+    }
     curl_setopt($ch, CURLOPT_FILE, $fp);
     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $connect_timeout);
     curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
@@ -2082,8 +2089,15 @@ function download_file_with_progress_bar($url, $destination, $verify_ssl = true,
      */
     $ch = curl_init();
     curl_setopt($ch, CURLOPT_URL, $url);
-    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $verify_ssl);
-    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify_ssl);
+    if ($verify_ssl) {
+        curl_setopt($ch, CURLOPT_CAPATH, "/etc/ssl/certs/");
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+    } else {
+        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+        curl_setopt($ch, CURLOPT_SSL_VERIFYSTATUS, false);
+    }
     curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header');
     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
     curl_setopt($ch, CURLOPT_WRITEFUNCTION, $readbody);

Actions #3

Updated by Marcos M over 2 years ago

  • Related to Bug #12737: CA path is not defined when using ``curl`` in the shell added
Actions #4

Updated by Marcos M over 2 years ago

  • Status changed from New to Pull Request Review
Actions #5

Updated by Marcos M over 2 years ago

  • Status changed from Pull Request Review to Resolved

Merged.

Actions #6

Updated by Jim Pingle about 2 years ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #7

Updated by Jim Pingle almost 2 years ago

  • Subject changed from Use certificate trust store when verifying alias URLs to Validate certificates when downloading alias content from URLs

Updating subject for release notes.

Actions #8

Updated by Jim Pingle almost 2 years ago

  • Subject changed from Validate certificates when downloading alias content from URLs to Specify CA trust store location when downloading and validating URL alias content

Updating subject for release notes again, last one was a bit off.

Though really this would affect anything using download_file() and download_file_with_progress_bar(), currently the only consumers of those functions in the base system is fetching URL alias content.

Actions

Also available in: Atom PDF