6.0.0-beta1
8/12/25

[#12929] Horde_Http: Fix disabling SSL certificate hostname check
Summary Horde_Http: Fix disabling SSL certificate hostname check
Queue Horde Framework Packages
Queue Version Git master
Type Bug
State Resolved
Priority 1. Low
Owners jan (at) horde (dot) org
Requester thomas.jarosch (at) intra2net (dot) com
Created 01/21/2014 (4221 days ago)
Due
Updated 01/26/2016 (3486 days ago)
Assigned 06/30/2014 (4061 days ago)
Resolved 01/26/2016 (3486 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch Yes

History
01/26/2016 11:15:52 AM Jan Schneider Assigned to Jan Schneider
State ⇒ Resolved
 
01/26/2016 11:15:41 AM Git Commit Comment #6 Reply to this comment
Changes have been made in Git (master):

commit b9628ad4855c2b5382988b9d919805ab3e74b7e5
Author: Jan Schneider <jan@horde.org>
Date:   Tue Jan 26 12:15:12 2016 +0100

     [jan] Fix disabling SSL certificate hostname check (Thomas 
Jarosch <thomas.jarosch@intra2net.com>, Bug #12929).

  framework/Http/package.xml |    2 ++
  1 files changed, 2 insertions(+), 0 deletions(-)

http://github.com/horde/horde/commit/b9628ad4855c2b5382988b9d919805ab3e74b7e5
07/01/2014 07:21:43 AM Thomas Jarosch Comment #5 Reply to this comment
I'm not sure if that is really a good situation. Disabling peer 
verification and host name verification is really two different 
things. On the other hand, you probably want both if you intend less 
strict SSL verification. Maybe introduce some "verifiyLoose" 
setting...
the idea of the patch was to re-gain BC with the existing horde code 
before the curl update.

f.e., [mms] commited just the same thing for the Imap_Client:
https://github.com/horde/horde/commit/0dcd8ae25ef273240693f78a4e038088e0e569f5

Notice the

+                'ssl' => array(
+                    'verify_peer' => false,
+                    'verify_peer_name' => false
+                )

in there.

06/30/2014 02:37:56 PM Jan Schneider Comment #4
State ⇒ Feedback		 Reply to this comment
I'm not sure if that is really a good situation. Disabling peer 
verification and host name verification is really two different 
things. On the other hand, you probably want both if you intend less 
strict SSL verification. Maybe introduce some "verifiyLoose" setting...
06/25/2014 08:23:50 AM Thomas Jarosch Comment #3 Reply to this comment
ping again? :)

03/20/2014 08:28:03 AM Thomas Jarosch Comment #2 Reply to this comment
ping

01/21/2014 01:04:24 PM Thomas Jarosch Comment #1
Priority ⇒ 1. Low
Type ⇒ Bug
Summary ⇒ Horde_Http: Fix disabling SSL certificate hostname check
Queue ⇒ Horde Framework Packages
Milestone ⇒
Patch ⇒ Yes
New Attachment: 0001-Fix-disabling-SSL-certificate-hostname-check.patch Download
State ⇒ Unconfirmed		 Reply to this comment
If we disable the SSL certificate verification for curl,
we should disable the hostname checking, too.

The recent curl security update for CVE-2013-4545 fixed
a bug that erroneously disabled the hostname checking
if the certificate verification was disabled.

I triggered this issue because Horde_Http no longer connected
to "localhost" over SSL as the given cert hostname was "xxx.yyy.zzz".

New Ticket
My Tickets
Search
Query Builder
Reports

Saved Queries

Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers