Opened 8 months ago

Closed 8 months ago

Last modified 8 months ago

#6734 closed defect (fixed)

CPLHTTPFetch(): CURLOPT_SSL_VERIFYPEER disabled

Reported by: Even Rouault Owned by: Even Rouault
Priority: normal Milestone: 2.2.0
Component: default Version: unspecified
Severity: normal Keywords: http
Cc: sgillies

Description

CPLHTTPFetch() disables CURLOPT_SSL_VERIFYPEER check, which means that invalid certificates from server are accepted.

I did a bit of software archeology and this was added 7 years ago per https://trac.osgeo.org/gdal/changeset/19162 Which is a huge changeset for RFC 24 - progressive/async raster reading. I guess that the person who contributed this RFC had a need for a hack for the needs of the JPIPKAK driver, so as to be able to connect to JPIP servers with self signed certificates.

Later in https://trac.osgeo.org/gdal/changeset/25661, I apparently migrated the UNSAFESSL option which was specific to the WMS driver code to a new general purpose function CPLHTTPSetOptions(). I probably let the CURLOPT_SSL_VERIFYPEER=FALSE in CPLHTTPFetch() so as not to change the existing behaviour.

Now that the UNSAFESSL option is available, it doesn't seem necessary to unconditionnaly disable CURLOPT_SSL_VERIFYPEER.

Change History (2)

comment:1 Changed 8 months ago by Even Rouault

Resolution: fixed
Status: newclosed

In 36567:

CPLHTTPFetch(): don't disable peer certificate verification when doing https (fixes #6734)

CPLHTTPFetch() disables CURLOPT_SSL_VERIFYPEER check, which means that
invalid certificates from server are accepted.

I did a bit of software archeology and this was added 7 years ago per
https://trac.osgeo.org/gdal/changeset/19162 Which is a huge changeset for
RFC 24 - progressive/async raster reading. I guess that the person who contributed
this RFC had a need for a hack for the needs of the JPIPKAK driver, so as to be
able to connect to JPIP servers with self signed certificates.

Later in https://trac.osgeo.org/gdal/changeset/25661, I apparently migrated the
UNSAFESSL option which was specific to the WMS driver code to a new general purpose function
CPLHTTPSetOptions(). I probably let the CURLOPT_SSL_VERIFYPEER=FALSE in CPLHTTPFetch()
so as not to change the existing behaviour.

Now that the UNSAFESSL option is available, it doesn't seem necessary to
unconditionnaly disable CURLOPT_SSL_VERIFYPEER.

comment:2 Changed 8 months ago by Even Rouault

Milestone: 2.2.0

Travis builds seems to be happy with that change. I'm a bit hesitant in backporting this in the 2.1 branch as it might break users that relied, knowingly or not, on certificates not being verified (e.g. if running servers with self-signed certificates).

Note: See TracTickets for help on using tickets.