Bug 3106 - rssyl plugin does not verify SSL peer at all
Summary: rssyl plugin does not verify SSL peer at all
Alias: None
Product: Claws Mail (GTK 2)
Classification: Unclassified
Component: Plugins/RSSyl (show other bugs)
Version: 3.9.3
Hardware: PC Linux
: P3 normal
Assignee: users
URL: https://bugs.debian.org/742695
Depends on:
Reported: 2014-03-11 08:36 UTC by Marcus Meissner
Modified: 2014-04-30 11:36 UTC (History)
0 users

See Also:


Description Marcus Meissner 2014-03-11 08:36:05 UTC
src/plugins/rssyl/feed.c has this code:

#if LIBCURL_VERSION_NUM >= 0x070a00
        curl_easy_setopt(eh, CURLOPT_SSL_VERIFYPEER, 0);
        curl_easy_setopt(eh, CURLOPT_SSL_VERIFYHOST, 0);

Meaning you are not checking ssl remote host validity at all.

Please do check it.
Comment 1 Andrej Kacian 2014-03-11 09:33:36 UTC
I think this is a remnant from early development, when I did not need to be bothered by extra errors from libcurl.

However, while I agree that CURLOPT_SSL_VERIFYHOST should probably be enabled, I do not see any usefulness in enabling CURLOPT_SSL_VERIFYPEER. I do not really buy into the extortion racket that certificate authority companies run.

At best, I am willing to make it a per-feed option, defaulting to off.
Comment 2 Andrej Kacian 2014-03-12 15:03:02 UTC
For the record, I plan to add both as per-feed options, with _VERIFYHOST defaulting to on, and _VERIFYPEER defaulting to off.
Comment 3 Ricardo Mones 2014-03-28 19:41:23 UTC
Andrej, any chance of committing a fix in the next week or so?
Comment 4 users 2014-04-29 08:36:03 UTC
Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:

++ ChangeLog	2014-04-29 10:36:03.469951194 +0200
Merge: f2483bd 123cf6f
Author: Colin Leroy <colin@colino.net>
Date:   Tue Apr 29 10:36:02 2014 +0200

    Merge branch 'master' of file:///home/git/claws

Author: Colin Leroy <colin@colino.net>
Date:   Tue Apr 29 10:33:38 2014 +0200

    Implement SSL certificate verification option (default, and per-feed).
    Fixes bug #3106, "Rssyl plugin does not verify SSL peer at all"

Author: Colin Leroy <colin@colino.net>
Date:   Tue Apr 29 10:04:02 2014 +0200

    Fix pref label

Note You need to log in before you can comment on or make changes to this bug.