From b2f59dd2003d8323108c249ce6fb5016eba6b5ed Mon Sep 17 00:00:00 2001 From: Travis Cross Date: Thu, 21 Aug 2014 22:17:35 +0000 Subject: [PATCH] Add warning when using HTTPS with mod_curl mod_curl currently does not verify the authenticity of the peer's certificate, and does not verify whether the common name on the certificate matches the server. This makes mod_curl initiated TLS connections completely insecure. We should fix this, but until we do, we'll warn people that it's not doing what they may think it is. ref: http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html ref: http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html --- src/mod/applications/mod_curl/mod_curl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/mod/applications/mod_curl/mod_curl.c b/src/mod/applications/mod_curl/mod_curl.c index 61f9a78d2a..bff5df864c 100644 --- a/src/mod/applications/mod_curl/mod_curl.c +++ b/src/mod/applications/mod_curl/mod_curl.c @@ -194,6 +194,7 @@ static http_data_t *do_lookup_url(switch_memory_pool_t *pool, const char *url, c } if (!strncasecmp(url, "https", 5)) { + switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "Not verifying TLS cert for %s; connection is not secure\n", url); switch_curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYPEER, 0); switch_curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYHOST, 0); } @@ -357,6 +358,7 @@ static void http_sendfile_initialize_curl(http_sendfile_data_t *http_data) if (!strncasecmp(http_data->url, "https", 5)) { + switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "Not verifying TLS cert for %s; connection is not secure\n", http_data->url); curl_easy_setopt(http_data->curl_handle, CURLOPT_SSL_VERIFYPEER, 0); curl_easy_setopt(http_data->curl_handle, CURLOPT_SSL_VERIFYHOST, 0); }