Bug 3106 - rssyl plugin does not verify SSL peer at all
: rssyl plugin does not verify SSL peer at all
Status: RESOLVED FIXED
Product: Claws Mail
Classification: Unclassified
Component: Plugins/RSSyl
: 3.9.3
: PC Linux
: P3 normal
Assigned To: users
https://bugs.debian.org/742695
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-11 09:36 CET by Marcus Meissner
Modified: 2014-04-30 13:36 CEST (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-11 09:36:05 CET
src/plugins/rssyl/feed.c has this code:

#if LIBCURL_VERSION_NUM >= 0x070a00
        curl_easy_setopt(eh, CURLOPT_SSL_VERIFYPEER, 0);
        curl_easy_setopt(eh, CURLOPT_SSL_VERIFYHOST, 0);
#endif

Meaning you are not checking ssl remote host validity at all.

Please do check it.
Comment 1 Andrej Kacian 2014-03-11 10:33:36 CET
I think this is a remnant from early development, when I did not need to be bothered by extra errors from libcurl.

However, while I agree that CURLOPT_SSL_VERIFYHOST should probably be enabled, I do not see any usefulness in enabling CURLOPT_SSL_VERIFYPEER. I do not really buy into the extortion racket that certificate authority companies run.

At best, I am willing to make it a per-feed option, defaulting to off.
Comment 2 Andrej Kacian 2014-03-12 16:03:02 CET
For the record, I plan to add both as per-feed options, with _VERIFYHOST defaulting to on, and _VERIFYPEER defaulting to off.
Comment 3 Ricardo Mones 2014-03-28 20:41:23 CET
Andrej, any chance of committing a fix in the next week or so?
Comment 4 users 2014-04-29 10:36:03 CEST
Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:
http://git.claws-mail.org/

++ ChangeLog	2014-04-29 10:36:03.469951194 +0200
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=8a1b06bc6e820e913386ee560807ee8bd0314246
Merge: f2483bd 123cf6f
Author: Colin Leroy <colin@colino.net>
Date:   Tue Apr 29 10:36:02 2014 +0200

    Merge branch 'master' of file:///home/git/claws

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=123cf6fbfe84f47d6bf277efc835a1b353ed0c94
Author: Colin Leroy <colin@colino.net>
Date:   Tue Apr 29 10:33:38 2014 +0200

    Implement SSL certificate verification option (default, and per-feed).
    Fixes bug #3106, "Rssyl plugin does not verify SSL peer at all"

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=dc6d8a1a1947544caa7b309d99b2614d61c6ec03
Author: Colin Leroy <colin@colino.net>
Date:   Tue Apr 29 10:04:02 2014 +0200

    Fix pref label