Bug 3105 - vcal plugin via https does not check SSL peer certificates or host
Summary: vcal plugin via https does not check SSL peer certificates or host
Status: RESOLVED FIXED
Alias: None
Product: Claws Mail (GTK 2)
Classification: Unclassified
Component: Plugins/vCalendar (show other bugs)
Version: 3.9.3
Hardware: PC Linux
: P3 normal
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2014-03-11 09:27 UTC by Marcus Meissner
Modified: 2014-04-27 12:47 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marcus Meissner 2014-03-11 09:27:31 UTC 
src/plugins/vcalendar/vcal_folder.c

has this:

#if LIBCURL_VERSION_NUM >= 0x070a00
        curl_easy_setopt(curl_ctx, CURLOPT_SSL_VERIFYPEER, 0);
        curl_easy_setopt(curl_ctx, CURLOPT_SSL_VERIFYHOST, 0);
#endif

This is basically allowing any kind of man in the middle attack.


Please fix.
Comment 1 users 2014-04-21 14:48:03 UTC 
Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:
http://git.claws-mail.org/

++ ChangeLog	2014-04-21 14:48:03.583507242 +0200
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=1dcb028ecd64f44d96ce3bb1e00a1a8316ec1d1d
Merge: ea9e88b e31ec07
Author: Colin Leroy <colin@colino.net>
Date:   Mon Apr 21 14:48:03 2014 +0200

    Merge branch 'master' of file:///home/git/claws

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=e31ec07076724b7674db10da03ff959312ff7129
Author: Colin Leroy <colin@colino.net>
Date:   Mon Apr 21 14:46:29 2014 +0200

    Fix bug #3105, "vCal plugin via https does not check SSL peer certificates or host"
    Add a preference to disable SSL certificate verification.
Note You need to log in before you can comment on or make changes to this bug.