Bug #5560


AutoConfigBackup curl session does not verify SSL/TLS certificate of, allowing for possible MiTM attacks

Added by Ian Gallagher about 6 years ago. Updated almost 5 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:


The configuration of the curl session used for submitting AutoConfigBackup blobs to the pfSense portal is explicitly set to not verify the authenticity of the server's certificate. This could allow for a Man in the Middle attacker to intercept requests from a pfSense installation and intercept encrypted configuration file uploads, and users' portal username/passwords, granting the attacker access to their portal account and anything in it.

The line of code in question is located here: Curl documentation for the option is here:

Remediation should be to change the CURLOPT_SSL_VERIFYPEER from 0 to 1, as follows:

---    2015-12-01 11:50:02.000000000 -0800
+++    2015-12-01 11:50:26.000000000 -0800
@@ -141,3 +141,3 @@
     curl_setopt($curl_session, CURLOPT_HTTPHEADER, array("Authorization: Basic " . base64_encode("{$username}:{$password}")));
-    curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 0);
+    curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 1);
     curl_setopt($curl_session, CURLOPT_POST, 1);
Additional information on the vulnerability available here:
Actions #1

Updated by Chris Buechler about 6 years ago

  • Status changed from New to Resolved

Thanks. That was initially intentional because we didn't ship root CAs on the versions that were out there at the time of the package's release. It should have been switched to on by default with 2.2.0 and newer though. Just committed that change.

Actions #2

Updated by Ian Gallagher about 6 years ago

Great, glad to help and get it fixed.

Actions #3

Updated by Ian Gallagher almost 6 years ago

Did this make it in to 2.2.6? I don't see the 2.2.6 release tag on Github.

Actions #4

Updated by Jim Pingle almost 6 years ago

This is in a package, not base, so it's only relevant to the package version not the pfSense version. It's been in the ACB package for a couple weeks now.

Actions #5

Updated by Jim Pingle almost 5 years ago

  • Private changed from Yes to No

Also available in: Atom PDF