Welcome Guest. Please Login or Register  


You are here: Index > Virtualizor - Virtual Server Control Panel > General Support > Topic : Disabling full SSL on API requests



Threaded Mode | Print  

 Disabling full SSL on API requests (5 Replies, Read 4965 times)
Keage
Group: Member
Post Group: Newbie
Posts: 44
Status:
Hi

Why does the API Client, Blesta module and presumably WHMCS module contain this cURL configuration for API calls?

PHP Code

 // Turn off the server and peer verification (TrustManager Concept).
curl_setopt($chCURLOPT_SSL_VERIFYPEERFALSE);
curl_setopt($chCURLOPT_SSL_VERIFYHOSTFALSE); 



This is surely very insecure for something so important?

I have Googled it but only found references to some PayPal sample code...

Thanks
IP: --   

Disabling full SSL on API requests
Keage
Group: Member
Post Group: Newbie
Posts: 44
Status:
Bump.
IP: --   

Disabling full SSL on API requests
asim_shaikh
Group: Member
Post Group: Elite Member
Posts: 381
Status:
Quote
Hi
Why does the API Client, Blesta module and presumably WHMCS module contain this cURL configuration for API calls?
PHP Code
// Turn off the server and peer verification (TrustManager Concept).
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
This is surely very insecure for something so important?
I have Googled it but only found references to some PayPal sample code...
Thanks


Hi,

By setting CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST we just disable the checking of the correct SSL cert on the Virtualizor server, to avoid the API to fail if the Server Does not have a valid cert however the connection will still be encrypted.

I am Copy pasting an answer from Stack overflow in this context.

Quote
The connection will still be SSL encrypted. You just won't be doing it
on a link that uses validated-as-correct certificates. Anyone can create
themselves an SSL certificate which will do perfectly acceptable
encryption at whatever level your browser and the webserver support.

However,
what you will get is many complaints about not being able to verify the
certificate's authenticity. This is to prevent Joe M. Alicious from
creating themselves a certificate claiming to be "microsoft.com" and
setting up their own Windows Update host. The cert will say it's
microsoft.com, but it cannot be authenticated as actually being
microsoft.com, as Verisign (or whoever) did not actually issue that cert
and put their own stamp of authenticity (signing the cert) on it.

_VERIFYHOST
is there to check that the hostname of the URL you're connecting to
(e.g. "microsoft.com") is listed within the SSL cert. With this option
set to false, url/cert hostname mismatches will be ignored (say, you've
got a development box at testbox.develhost.com, but are using your
client's real valid 'example.com' cert).

_VERIFYPEER disables
validating the entire certificate. This allows self-signed certs to
work. Otherwise the SSL library will barf saying that the cert's issuer
isn't valid.

But regardless of either setting, if you force through a connection, it WILL be ssl encrypted.



-----------------------
Regards,
Virtualizor Team
http://www.virtualizor.com
IP: --   

Disabling full SSL on API requests
Keage
Group: Member
Post Group: Newbie
Posts: 44
Status:
Right, thanks, so doesn't this leave us open to MITM attacks if the certificate isn't verified?  :??:
IP: --   

Disabling full SSL on API requests
Keage
Group: Member
Post Group: Newbie
Posts: 44
Status:
Bump... SSL certs should be verified. It should just be a configuration option for those using self signed certs (not recommended in production).

At least when you add Let's Encrypt support please disable this behaviour.
IP: --   

Disabling full SSL on API requests
Keage
Group: Member
Post Group: Newbie
Posts: 44
Status:
Bump... disabling SSL certificate verification is a security concern.
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is March 19, 2024, 8:18 am.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.129