Elastica_Transport_Https

[rayward]

This transport is setting the following curl option:

curl_setopt($connection, CURLOPT_SSL_VERIFYPEER, false);

This causes connections to be insecure as it won't verify the peers certificate. It allows connections to servers with invalid or expired certificates.

You should set this to true.

[ruflin]

@rayward: You are right. This is quite a security issue. We should set it to true by default
@maeti: In general, good idea with the flag. But is it a good idea in general to allow not verified? I see the usecase more in a testing environment.

There are additional flag we should take into account:

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);

But than we have to use CURLOPT_CAPATH option to add certs:

curl_setopt($curl, CURLOPT_CAPATH, 'cert.pem');

What you think is best?

[plaflamme]

I'd suggest accepting the curl options as a parameter when constructing the client. CURL has literally tens (if not a hundred) of options. You don't want to pick and choose the ones you want. Simply allow passing-through curl opts.

[ruflin]

Very good idea. Does anyone have time to implement that? That also fits the general Elastica approach. Allow "everything" through a general API, but also implement some often used features more specific.

[ruflin]

Now it is possible to set curl params in the config (see commit ba88bd0)

#107

[lavoiesl]

Can this issue be closed then ?

[ruflin]

Closed