From 558b3becf0ae99cb15e8f16af349987a38c4c56d Mon Sep 17 00:00:00 2001 From: Parker Shelton Date: Sat, 3 Nov 2012 18:52:25 -0700 Subject: [PATCH] Verify the received SSL certificate's CNAME matches the requested host The cURL manual explains the correct usage of CURLOPT_SSL_VERIFYHOST as follows: 1 to check the existence of a common name in the SSL peer certificate. 2 to check the existence of a common name and also verify that it matches the hostname provided. In production environments the value of this option should be kept at 2 (default value). CURLOPT_SSL_VERIFYHOST also cannot be used without CURLOPT_SSL_VERIFYPEER. See http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf for a full analysis of the security vulnerability here. --- requestcore.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requestcore.class.php b/requestcore.class.php index 9fb2d96..be427f7 100755 --- a/requestcore.class.php +++ b/requestcore.class.php @@ -473,8 +473,8 @@ public function prep_request() curl_setopt($curl_handle, CURLOPT_URL, $this->request_url); curl_setopt($curl_handle, CURLOPT_FILETIME, true); curl_setopt($curl_handle, CURLOPT_FRESH_CONNECT, false); - curl_setopt($curl_handle, CURLOPT_SSL_VERIFYPEER, false); - curl_setopt($curl_handle, CURLOPT_SSL_VERIFYHOST, true); + curl_setopt($curl_handle, CURLOPT_SSL_VERIFYPEER, true); + curl_setopt($curl_handle, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($curl_handle, CURLOPT_CLOSEPOLICY, CURLCLOSEPOLICY_LEAST_RECENTLY_USED); curl_setopt($curl_handle, CURLOPT_FOLLOWLOCATION, true); curl_setopt($curl_handle, CURLOPT_MAXREDIRS, 5);