Posted By: Keage on July 29, 2016, 8:29 am | Post: 1 |
Bump. |
Posted By: asim_shaikh on July 30, 2016, 4:50 am | Post: 2 |
Quote Hi
Why does the API Client, Blesta module and presumably WHMCS module contain this cURL configuration for API calls? PHP Code // Turn off the server and peer verification (TrustManager Concept). curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); This is surely very insecure for something so important? I have Googled it but only found references to some PayPal sample code... Thanks Hi, By setting CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST we just disable the checking of the correct SSL cert on the Virtualizor server, to avoid the API to fail if the Server Does not have a valid cert however the connection will still be encrypted. I am Copy pasting an answer from Stack overflow in this context. Quote The connection will still be SSL encrypted. You just won't be doing it
on a link that uses validated-as-correct certificates. Anyone can create themselves an SSL certificate which will do perfectly acceptable encryption at whatever level your browser and the webserver support. However, what you will get is many complaints about not being able to verify the certificate's authenticity. This is to prevent Joe M. Alicious from creating themselves a certificate claiming to be "microsoft.com" and setting up their own Windows Update host. The cert will say it's microsoft.com, but it cannot be authenticated as actually being microsoft.com, as Verisign (or whoever) did not actually issue that cert and put their own stamp of authenticity (signing the cert) on it. _VERIFYHOST is there to check that the hostname of the URL you're connecting to (e.g. "microsoft.com") is listed within the SSL cert. With this option set to false, url/cert hostname mismatches will be ignored (say, you've got a development box at testbox.develhost.com, but are using your client's real valid 'example.com' cert). _VERIFYPEER disables validating the entire certificate. This allows self-signed certs to work. Otherwise the SSL library will barf saying that the cert's issuer isn't valid. But regardless of either setting, if you force through a connection, it WILL be ssl encrypted. ----------------------- Regards, Virtualizor Team http://www.virtualizor.com |
Posted By: Keage on July 30, 2016, 7:41 pm | Post: 3 |
Right, thanks, so doesn't this leave us open to MITM attacks if the certificate isn't verified? |
Posted By: Keage on August 24, 2016, 7:27 pm | Post: 5 |
Bump... disabling SSL certificate verification is a security concern. |