Bug 3106 - rssyl plugin does not verify SSL peer at all
Summary: rssyl plugin does not verify SSL peer at all
Alias: None
Product: Claws Mail
Classification: Unclassified
Component: Plugins/RSSyl (show other bugs)
Version: 3.9.3
Hardware: PC Linux
: P3 normal
Assignee: users
URL: https://bugs.debian.org/742695
Depends on:
Reported: 2014-03-11 09:36 CET by Marcus Meissner
Modified: 2014-04-30 13:36 CEST (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-11 09:36:05 CET
src/plugins/rssyl/feed.c has this code:

#if LIBCURL_VERSION_NUM >= 0x070a00
        curl_easy_setopt(eh, CURLOPT_SSL_VERIFYPEER, 0);
        curl_easy_setopt(eh, CURLOPT_SSL_VERIFYHOST, 0);

Meaning you are not checking ssl remote host validity at all.

Please do check it.
Comment 1 Andrej Kacian 2014-03-11 10:33:36 CET
I think this is a remnant from early development, when I did not need to be bothered by extra errors from libcurl.

However, while I agree that CURLOPT_SSL_VERIFYHOST should probably be enabled, I do not see any usefulness in enabling CURLOPT_SSL_VERIFYPEER. I do not really buy into the extortion racket that certificate authority companies run.

At best, I am willing to make it a per-feed option, defaulting to off.
Comment 2 Andrej Kacian 2014-03-12 16:03:02 CET
For the record, I plan to add both as per-feed options, with _VERIFYHOST defaulting to on, and _VERIFYPEER defaulting to off.
Comment 3 Ricardo Mones 2014-03-28 20:41:23 CET
Andrej, any chance of committing a fix in the next week or so?
Comment 4 users 2014-04-29 10:36:03 CEST
Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:

++ ChangeLog	2014-04-29 10:36:03.469951194 +0200
Merge: f2483bd 123cf6f
Author: Colin Leroy <colin@colino.net>
Date:   Tue Apr 29 10:36:02 2014 +0200

    Merge branch 'master' of file:///home/git/claws

Author: Colin Leroy <colin@colino.net>
Date:   Tue Apr 29 10:33:38 2014 +0200

    Implement SSL certificate verification option (default, and per-feed).
    Fixes bug #3106, "Rssyl plugin does not verify SSL peer at all"

Author: Colin Leroy <colin@colino.net>
Date:   Tue Apr 29 10:04:02 2014 +0200

    Fix pref label