This should be a slight improvement in setting ciphers - we'll punt on RedHat but open up the list just for openssl distros which seem to have all the problems at the moment.

2014-03-25 15:19:18 -07:00 · 2014-03-25 15:19:18 -07:00 · 7375e30506
commit 7375e30506
parent f14596b1eb
5 changed files with 33 additions and 18 deletions
--- a/boot.php
+++ b/boot.php
@ -47,7 +47,7 @@ define ( 'RED_PLATFORM',            'Red Matrix' );
 define ( 'RED_VERSION',             trim(file_get_contents('version.inc')) . 'R');
 define ( 'ZOT_REVISION',            1     ); 
-define ( 'DB_UPDATE_VERSION',       1103  );
+define ( 'DB_UPDATE_VERSION',       1104  );
 define ( 'EOL',                    '<br />' . "\r\n"     );
 define ( 'ATOM_TIME',              'Y-m-d\TH:i:s\Z' );
--- a/include/network.php
+++ b/include/network.php
@ -44,10 +44,8 @@ function z_fetch_url($url, $binary = false, $redirects = 0, $opts = array()) {
 	@curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; Red)");
 	$ciphers = @get_config('system','curl_ssl_ciphers');
-	if(! $ciphers)
+	if($ciphers)
-		$ciphers = 'ALL:!eNULL';
+		@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers);
 	@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers);
 	if (x($opts,'accept_content')){
 		@curl_setopt($ch,CURLOPT_HTTPHEADER, array (
@ -152,10 +150,8 @@ function z_post_url($url,$params, $redirects = 0, $opts = array()) {
 	@curl_setopt($ch, CURLOPT_USERAGENT, "Red");
 	$ciphers = @get_config('system','curl_ssl_ciphers');
-	if(! $ciphers)
+	if($ciphers)
-		$ciphers = 'ALL:!eNULL';
+		@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers);
 	@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers);
 	if (x($opts,'accept_content')){
--- a/install/update.php
+++ b/install/update.php
@ -1,6 +1,6 @@
 <?php
-define( 'UPDATE_VERSION' , 1103 );
+define( 'UPDATE_VERSION' , 1104 );
 /**
 *
@ -1159,3 +1159,10 @@ function update_r1102() {
 	);
 	return UPDATE_SUCCESS;
 }
 function update_r1103() {
 	$x = curl_version();
 	if(stristr($x['ssl_version'],'openssl'))
 		set_config('system','curl_ssl_ciphers','ALL:!eNULL');
 	return UPDATE_SUCCESS;
 }
--- a/mod/setup.php
+++ b/mod/setup.php
@ -605,9 +605,28 @@ function what_next() {
 	$a = get_app();
 	// install the standard theme
 	set_config('system','allowed_themes','redbasic');
 	// Set a lenient list of ciphers if using openssl. Other ssl engines
 	// (e.g. NSS used in RedHat) require different syntax, so hopefully 
 	// the default curl cipher list will work for most sites. If not, 
 	// this can set via config. Many distros are now disabling RC4,
 	// but many Red sites still use it and are unable to change it.
 	// We do not use SSL for encryption, only to protect session cookies.
 	// z_fetch_url() is also used to import shared links and other content 
 	// so in theory most any cipher could show up and we should do our best
 	// to make the content available rather than tell folks that there's a 
 	// weird SSL error which they can't do anything about. 
 	$x = curl_version();
 	if(stristr($x['ssl_version'],'openssl'))
 		set_config('system','curl_ssl_ciphers','ALL:!eNULL');
 	// Create a system channel
 	require_once ('include/identity.php');
 	create_sys_channel();	
 	$baseurl = $a->get_baseurl();
 	return 
 		t('<h1>What next</h1>')
--- a/view/en/htconfig.tpl
+++ b/view/en/htconfig.tpl
@ -85,13 +85,6 @@ $a->config['system']['php_path'] = '{{$phpath}}';
 $a->config['system']['directory_mode']  = DIRECTORY_MODE_NORMAL;
 // libcurl default ciphers - Redhat and NSS based systems may use a different
 // syntax. This indicates the ciphers we will accept when connecting to any
 // https site. We want this to be as liberal as possible.
 $a->config['system']['curl_ssl_ciphers'] = 'ALL:!eNULL';
 // default system theme
 $a->config['system']['theme'] = 'redbasic';