cxxurl icon indicating copy to clipboard operation
cxxurl copied to clipboard

Published 20 hours ago verified publisher icon xiaozhuai

SSL verify setting doesn't work correctly. In most cases the SSL is never verified.

Open hippymulehead opened this issue 2 years ago • 1 comments

In Request.h the following code only verifies the peer if you have a Cacert in your code....

if(m_VerifySSL && !m_Cacert.empty()){ SET_CURL_OPT(CURLOPT_SSL_VERIFYPEER, 1); SET_CURL_OPT(CURLOPT_SSL_VERIFYHOST, 1); SET_CURL_OPT(CURLOPT_CAINFO, m_Cacert.c_str()); }else{ SET_CURL_OPT(CURLOPT_SSL_VERIFYPEER, 0); SET_CURL_OPT(CURLOPT_SSL_VERIFYHOST, 0); }

You can fix this by changing to this... This allows you to verify the remote cert is valid when VerifySSL is true or you can bypass the verify if the server has a self signed cert with VerifySSL = false;

if (m_VerifySSL && !m_Cacert.empty()) { SET_CURL_OPT(CURLOPT_SSL_VERIFYPEER, 1); SET_CURL_OPT(CURLOPT_SSL_VERIFYHOST, 1); SET_CURL_OPT(CURLOPT_CAINFO, m_Cacert.c_str()); } else { if (m_VerifySSL) { SET_CURL_OPT(CURLOPT_SSL_VERIFYPEER, 1); SET_CURL_OPT(CURLOPT_SSL_VERIFYHOST, 1); } else { SET_CURL_OPT(CURLOPT_SSL_VERIFYPEER, 0); SET_CURL_OPT(CURLOPT_SSL_VERIFYHOST, 0); } }

hippymulehead avatar May 02 '22 18:05 hippymulehead

@hippymulehead Thanks for your report. Please submit a pr and I'll merge it. Have a good day!

xiaozhuai avatar May 03 '22 04:05 xiaozhuai