Disabling full SSL on API requests https://www.softaculous.com/board/index.php?tid=9361 <![CDATA[Disabling full SSL on API requests]]> https://www.softaculous.com/board/index.php?tid=9361&tpg=1#p32380 Wed, 24 Aug 2016 19:27:03 GMT https://www.softaculous.com/board/index.php?tid=9361&tpg=1#p32380 <![CDATA[Disabling full SSL on API requests]]> https://www.softaculous.com/board/index.php?tid=9361&tpg=1#p32242
At least when you add Let's Encrypt support please disable this behaviour.]]> Thu, 11 Aug 2016 22:39:06 GMT https://www.softaculous.com/board/index.php?tid=9361&tpg=1#p32242 <![CDATA[Disabling full SSL on API requests]]> https://www.softaculous.com/board/index.php?tid=9361&tpg=1#p32162 ]]> Sat, 30 Jul 2016 19:41:05 GMT https://www.softaculous.com/board/index.php?tid=9361&tpg=1#p32162 <![CDATA[Disabling full SSL on API requests]]> https://www.softaculous.com/board/index.php?tid=9361&tpg=1#p32159
Quote
Hi
Why does the API Client, Blesta module and presumably WHMCS module contain this cURL configuration for API calls?
PHP Code
// Turn off the server and peer verification (TrustManager Concept).
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
This is surely very insecure for something so important?
I have Googled it but only found references to some PayPal sample code...
Thanks


Hi,

By setting CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST we just disable the checking of the correct SSL cert on the Virtualizor server, to avoid the API to fail if the Server Does not have a valid cert however the connection will still be encrypted.

I am Copy pasting an answer from Stack overflow in this context.

Quote
The connection will still be SSL encrypted. You just won't be doing it
on a link that uses validated-as-correct certificates. Anyone can create
themselves an SSL certificate which will do perfectly acceptable
encryption at whatever level your browser and the webserver support.

However,
what you will get is many complaints about not being able to verify the
certificate's authenticity. This is to prevent Joe M. Alicious from
creating themselves a certificate claiming to be "microsoft.com" and
setting up their own Windows Update host. The cert will say it's
microsoft.com, but it cannot be authenticated as actually being
microsoft.com, as Verisign (or whoever) did not actually issue that cert
and put their own stamp of authenticity (signing the cert) on it.

_VERIFYHOST
is there to check that the hostname of the URL you're connecting to
(e.g. "microsoft.com") is listed within the SSL cert. With this option
set to false, url/cert hostname mismatches will be ignored (say, you've
got a development box at testbox.develhost.com, but are using your
client's real valid 'example.com' cert).

_VERIFYPEER disables
validating the entire certificate. This allows self-signed certs to
work. Otherwise the SSL library will barf saying that the cert's issuer
isn't valid.

But regardless of either setting, if you force through a connection, it WILL be ssl encrypted.

]]> Sat, 30 Jul 2016 04:50:34 GMT https://www.softaculous.com/board/index.php?tid=9361&tpg=1#p32159 <![CDATA[Disabling full SSL on API requests]]> https://www.softaculous.com/board/index.php?tid=9361&tpg=1#p32153 Fri, 29 Jul 2016 08:29:51 GMT https://www.softaculous.com/board/index.php?tid=9361&tpg=1#p32153 <![CDATA[]]> https://www.softaculous.com/board/index.php?tid=9361&tpg=0#p32067
Why does the API Client, Blesta module and presumably WHMCS module contain this cURL configuration for API calls?

PHP Code

 // Turn off the server and peer verification (TrustManager Concept).
curl_setopt($chCURLOPT_SSL_VERIFYPEERFALSE);
curl_setopt($chCURLOPT_SSL_VERIFYHOSTFALSE); 



This is surely very insecure for something so important?

I have Googled it but only found references to some PayPal sample code...

Thanks]]> Fri, 22 Jul 2016 02:53:08 GMT https://www.softaculous.com/board/index.php?tid=9361&tpg=0#p32067