Page 1 of 1

Verification of certificates from queried sites

Posted: 17 Aug 2015, 01:42
by Foo Bar
Hi,

I recently saw, that my ttrss instance does not verify any SSL certificate of the sites it queries for rss feeds. I searched for it in the source and came up with the "CURLOPT_SSL_VERIFYPEER" that is set to false in functions.php and functions2.php .

I think this behaviour might lead to a MITM and loss of login-data for password protected sites.

Normally you can add self-signed certs via ca-certificate to your trusted CAs so I can't imagine, why VERIFYPEER is disabled.

Could anyone confirm that?

Thanks
Foo

Re: Verification of certificates from queried sites

Posted: 17 Aug 2015, 07:45
by fox
realistically nobody is gonna mitm your treasured password to ponyporntorrents.com/rss because nobody cares about you

>Normally you can add self-signed certs via ca-certificate to your trusted CAs so I can't imagine, why VERIFYPEER is disabled.

actually a normal person will not be capable of doing that and instead they will come here whining about that one broken garbage feed that works with OTHER RSS READERS AND WHY IS IT BROKEN NOW Q_Q

can we rely on you providing support to those people, forum user Foo Bar? they are going to be running arbitrary versions of various operating systems with and without root and shell access. hope you did your homework.

Re: Verification of certificates from queried sites

Posted: 17 Aug 2015, 07:52
by fox
that said with the paranoid schizophrenic behavior re: CA racket considered normal these days for browsers i guess nobody of any value is running on self-signed certificates anymore so we might as well revert it and enjoy the fallout (if any)

i am however gonna refer any possible complaints to your thread.

Re: Verification of certificates from queried sites

Posted: 17 Aug 2015, 12:04
by Foo Bar
Do I understand that correctly, that there will come a fix to that issue?

>actually a normal person will not be capable of doing that

When I install software, that is designed for being hosted on a server, I expect that there shouldn't be any security relevant fixes necessary. And not verifying certificates isn't best practice in any case. So I think security should be turned on by default and if anybody wants to turn it off, then its his own decision.

> can we rely on you providing support to those people, forum user Foo Bar?

If you need help to support those users who have questions about this issue, then I will. But are those deals normal to get bugs fixed?


To provide some first information how to get self-signed certificates accepted with VERIFYPEER set to true:

* Windows Server: https://snippets.webaware.com.au/howto/ ... hp-config/
- > Just append your certificate to that file
* Linux:

Code: Select all

sudo cp my.cert /usr/local/share/ca-certificates/
echo "my.cert" >> /etc/ca-certificates.conf
sudo update-ca-certificates


To get the self-signed certificate you can add to your list of trusted CAs:
* Open Firefox -> Browse to that untrusted site -> click on the lock left to your address bar -> more information -> view certificate -> Details -> Export

Re: Verification of certificates from queried sites

Posted: 17 Aug 2015, 12:10
by fox
> Do I understand that correctly, that there will come a fix to that issue?

https://tt-rss.org/gitlab/fox/tt-rss/co ... f3c67ef334

> (rest of your post)

please stop the sperging, nobody actually cares

Re: Verification of certificates from queried sites

Posted: 17 Aug 2015, 12:50
by Foo Bar
Thanks a lot!