Verification of certificates from queried sites

Support requests, bug reports, etc. go here. Dedicated servers / VDS hosting only
Foo Bar
Bear Rating Trainee
Bear Rating Trainee
Posts: 4
Joined: 17 Aug 2015, 01:29

Verification of certificates from queried sites

Postby Foo Bar » 17 Aug 2015, 01:42

Hi,

I recently saw, that my ttrss instance does not verify any SSL certificate of the sites it queries for rss feeds. I searched for it in the source and came up with the "CURLOPT_SSL_VERIFYPEER" that is set to false in functions.php and functions2.php .

I think this behaviour might lead to a MITM and loss of login-data for password protected sites.

Normally you can add self-signed certs via ca-certificate to your trusted CAs so I can't imagine, why VERIFYPEER is disabled.

Could anyone confirm that?

Thanks
Foo

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Verification of certificates from queried sites

Postby fox » 17 Aug 2015, 07:45

realistically nobody is gonna mitm your treasured password to ponyporntorrents.com/rss because nobody cares about you

>Normally you can add self-signed certs via ca-certificate to your trusted CAs so I can't imagine, why VERIFYPEER is disabled.

actually a normal person will not be capable of doing that and instead they will come here whining about that one broken garbage feed that works with OTHER RSS READERS AND WHY IS IT BROKEN NOW Q_Q

can we rely on you providing support to those people, forum user Foo Bar? they are going to be running arbitrary versions of various operating systems with and without root and shell access. hope you did your homework.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Verification of certificates from queried sites

Postby fox » 17 Aug 2015, 07:52

that said with the paranoid schizophrenic behavior re: CA racket considered normal these days for browsers i guess nobody of any value is running on self-signed certificates anymore so we might as well revert it and enjoy the fallout (if any)

i am however gonna refer any possible complaints to your thread.

Foo Bar
Bear Rating Trainee
Bear Rating Trainee
Posts: 4
Joined: 17 Aug 2015, 01:29

Re: Verification of certificates from queried sites

Postby Foo Bar » 17 Aug 2015, 12:04

Do I understand that correctly, that there will come a fix to that issue?

>actually a normal person will not be capable of doing that

When I install software, that is designed for being hosted on a server, I expect that there shouldn't be any security relevant fixes necessary. And not verifying certificates isn't best practice in any case. So I think security should be turned on by default and if anybody wants to turn it off, then its his own decision.

> can we rely on you providing support to those people, forum user Foo Bar?

If you need help to support those users who have questions about this issue, then I will. But are those deals normal to get bugs fixed?


To provide some first information how to get self-signed certificates accepted with VERIFYPEER set to true:

* Windows Server: https://snippets.webaware.com.au/howto/ ... hp-config/
- > Just append your certificate to that file
* Linux:

Code: Select all

sudo cp my.cert /usr/local/share/ca-certificates/
echo "my.cert" >> /etc/ca-certificates.conf
sudo update-ca-certificates


To get the self-signed certificate you can add to your list of trusted CAs:
* Open Firefox -> Browse to that untrusted site -> click on the lock left to your address bar -> more information -> view certificate -> Details -> Export

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Verification of certificates from queried sites

Postby fox » 17 Aug 2015, 12:10

> Do I understand that correctly, that there will come a fix to that issue?

https://tt-rss.org/gitlab/fox/tt-rss/co ... f3c67ef334

> (rest of your post)

please stop the sperging, nobody actually cares

Foo Bar
Bear Rating Trainee
Bear Rating Trainee
Posts: 4
Joined: 17 Aug 2015, 01:29

Re: Verification of certificates from queried sites

Postby Foo Bar » 17 Aug 2015, 12:50

Thanks a lot!


Return to “Support”

Who is online

Users browsing this forum: No registered users and 8 guests