Softaculous

Topic : Disabling full SSL on API requests


Posted By: Keage on July 22, 2016, 2:53 am
Hi

Why does the API Client, Blesta module and presumably WHMCS module contain this cURL configuration for API calls?

PHP Code

 // Turn off the server and peer verification (TrustManager Concept).
curl_setopt($chCURLOPT_SSL_VERIFYPEERFALSE);
curl_setopt($chCURLOPT_SSL_VERIFYHOSTFALSE); 



This is surely very insecure for something so important?

I have Googled it but only found references to some PayPal sample code...

Thanks

Posted By: Keage on July 29, 2016, 8:29 am | Post: 1
Bump.

Posted By: asim_shaikh on July 30, 2016, 4:50 am | Post: 2
Quote
Hi
Why does the API Client, Blesta module and presumably WHMCS module contain this cURL configuration for API calls?
PHP Code
// Turn off the server and peer verification (TrustManager Concept).
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
This is surely very insecure for something so important?
I have Googled it but only found references to some PayPal sample code...
Thanks


Hi,

By setting CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST we just disable the checking of the correct SSL cert on the Virtualizor server, to avoid the API to fail if the Server Does not have a valid cert however the connection will still be encrypted.

I am Copy pasting an answer from Stack overflow in this context.

Quote
The connection will still be SSL encrypted. You just won't be doing it
on a link that uses validated-as-correct certificates. Anyone can create
themselves an SSL certificate which will do perfectly acceptable
encryption at whatever level your browser and the webserver support.

However,
what you will get is many complaints about not being able to verify the
certificate's authenticity. This is to prevent Joe M. Alicious from
creating themselves a certificate claiming to be "microsoft.com" and
setting up their own Windows Update host. The cert will say it's
microsoft.com, but it cannot be authenticated as actually being
microsoft.com, as Verisign (or whoever) did not actually issue that cert
and put their own stamp of authenticity (signing the cert) on it.

_VERIFYHOST
is there to check that the hostname of the URL you're connecting to
(e.g. "microsoft.com") is listed within the SSL cert. With this option
set to false, url/cert hostname mismatches will be ignored (say, you've
got a development box at testbox.develhost.com, but are using your
client's real valid 'example.com' cert).

_VERIFYPEER disables
validating the entire certificate. This allows self-signed certs to
work. Otherwise the SSL library will barf saying that the cert's issuer
isn't valid.

But regardless of either setting, if you force through a connection, it WILL be ssl encrypted.



-----------------------
Regards,
Virtualizor Team
http://www.virtualizor.com

Posted By: Keage on July 30, 2016, 7:41 pm | Post: 3
Right, thanks, so doesn't this leave us open to MITM attacks if the certificate isn't verified?  :??:

Posted By: Keage on August 11, 2016, 10:39 pm | Post: 4
Bump... SSL certs should be verified. It should just be a configuration option for those using self signed certs (not recommended in production).

At least when you add Let's Encrypt support please disable this behaviour.

Posted By: Keage on August 24, 2016, 7:27 pm | Post: 5
Bump... disabling SSL certificate verification is a security concern.

Powered By AEF 1.0.8 © 2007-2008 Electron Inc.