Bug 3106

Summary: rssyl plugin does not verify SSL peer at all
Product: Claws Mail (GTK 2) Reporter: Marcus Meissner <meissner>
Component: Plugins/RSSylAssignee: users
Status: RESOLVED FIXED    
Severity: normal    
Priority: P3    
Version: 3.9.3   
Hardware: PC   
OS: Linux   
URL: https://bugs.debian.org/742695

Description Marcus Meissner 2014-03-11 08:36:05 UTC
src/plugins/rssyl/feed.c has this code:

#if LIBCURL_VERSION_NUM >= 0x070a00
        curl_easy_setopt(eh, CURLOPT_SSL_VERIFYPEER, 0);
        curl_easy_setopt(eh, CURLOPT_SSL_VERIFYHOST, 0);
#endif

Meaning you are not checking ssl remote host validity at all.

Please do check it.
Comment 1 Andrej Kacian 2014-03-11 09:33:36 UTC
I think this is a remnant from early development, when I did not need to be bothered by extra errors from libcurl.

However, while I agree that CURLOPT_SSL_VERIFYHOST should probably be enabled, I do not see any usefulness in enabling CURLOPT_SSL_VERIFYPEER. I do not really buy into the extortion racket that certificate authority companies run.

At best, I am willing to make it a per-feed option, defaulting to off.
Comment 2 Andrej Kacian 2014-03-12 15:03:02 UTC
For the record, I plan to add both as per-feed options, with _VERIFYHOST defaulting to on, and _VERIFYPEER defaulting to off.
Comment 3 Ricardo Mones 2014-03-28 19:41:23 UTC
Andrej, any chance of committing a fix in the next week or so?
Comment 4 users 2014-04-29 08:36:03 UTC
Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:
http://git.claws-mail.org/

++ ChangeLog	2014-04-29 10:36:03.469951194 +0200
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=8a1b06bc6e820e913386ee560807ee8bd0314246
Merge: f2483bd 123cf6f
Author: Colin Leroy <colin@colino.net>
Date:   Tue Apr 29 10:36:02 2014 +0200

    Merge branch 'master' of file:///home/git/claws

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=123cf6fbfe84f47d6bf277efc835a1b353ed0c94
Author: Colin Leroy <colin@colino.net>
Date:   Tue Apr 29 10:33:38 2014 +0200

    Implement SSL certificate verification option (default, and per-feed).
    Fixes bug #3106, "Rssyl plugin does not verify SSL peer at all"

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=dc6d8a1a1947544caa7b309d99b2614d61c6ec03
Author: Colin Leroy <colin@colino.net>
Date:   Tue Apr 29 10:04:02 2014 +0200

    Fix pref label