harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ssl ciphers - be liberal in what we accept, conservative in what we generate

Browse Source
This commit is contained in:
friendica 2014-03-24 17:16:01 -07:00
parent 592f5591d9
commit e6ea4a7574
7 changed files with 42 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.htaccess
View File

@ -1,7 +1,7 @@
Options -Indexes Options -Indexes
AddType application/x-java-archive .jar AddType application/x-java-archive .jar
AddType audio/ogg .oga AddType audio/ogg .oga
#SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH #SSLCipherSuite HIGH:AES256-SHA:AES128-SHA:RC4:!aNULL:!eNULL:!EDH
# don't allow any web access to logfiles, even after rotation/compression # don't allow any web access to logfiles, even after rotation/compression
<FilesMatch "\.(out|log|gz)$"> <FilesMatch "\.(out|log|gz)$">

4
doc/To-Do-Code.md
View File

@ -23,6 +23,10 @@ We need much more than this, but here are areas where developers can help. Pleas
* (Advanced) create a UI for building Comanche pages * (Advanced) create a UI for building Comanche pages
* External post connectors - create standard interface
* External post connectors, add popular services
* templatise and translate the Web interface to webDAV * templatise and translate the Web interface to webDAV
* Extend WebDAV to provide desktop access to photo albums * Extend WebDAV to provide desktop access to photo albums

4
doc/to_do_code.bb
View File

@ -28,7 +28,9 @@ We need much more than this, but here are areas where developers can help. Pleas
[li]Extend WebDAV to provide desktop access to photo albums]/li] [li]Extend WebDAV to provide desktop access to photo albums]/li]
[li]Create a module PDL editor (separate from but integrated with the page layout editor) as a separate module. This will allow folks to view and alter the pre-defined layouts for any module in the system. If the custom module is removed or empty, revert to the system layout. [li]External post connectors - create standard interface[/li]
[li]External post connectors, add popular services[/li]
[li]service classes - provide a pluggable subscription payment gateway for premium accounts[/li] [li]service classes - provide a pluggable subscription payment gateway for premium accounts[/li]

36
include/network.php
View File

@ -43,8 +43,14 @@ function z_fetch_url($url, $binary = false, $redirects = 0, $opts = array()) {
@curl_setopt($ch, CURLOPT_RETURNTRANSFER,true); @curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
@curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; Red)"); @curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; Red)");
$ciphers = @get_config('system','curl_ssl_ciphers');
if(! $ciphers)
$ciphers = 'ALL:!eNULL';
@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers);
if (x($opts,'accept_content')){ if (x($opts,'accept_content')){
curl_setopt($ch,CURLOPT_HTTPHEADER, array ( @curl_setopt($ch,CURLOPT_HTTPHEADER, array (
"Accept: " . $opts['accept_content'] "Accept: " . $opts['accept_content']
)); ));
} }
@ -138,21 +144,27 @@ function z_post_url($url,$params, $redirects = 0, $opts = array()) {
if(($redirects > 8) || (! $ch)) if(($redirects > 8) || (! $ch))
return ret; return ret;
curl_setopt($ch, CURLOPT_HEADER, true); @curl_setopt($ch, CURLOPT_HEADER, true);
@curl_setopt($ch, CURLOPT_CAINFO, get_capath()); @curl_setopt($ch, CURLOPT_CAINFO, get_capath());
curl_setopt($ch, CURLOPT_RETURNTRANSFER,true); @curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch, CURLOPT_POST,1); @curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS,$params); @curl_setopt($ch, CURLOPT_POSTFIELDS,$params);
curl_setopt($ch, CURLOPT_USERAGENT, "Red"); @curl_setopt($ch, CURLOPT_USERAGENT, "Red");
$ciphers = @get_config('system','curl_ssl_ciphers');
if(! $ciphers)
$ciphers = 'ALL:!eNULL';
@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, Z_CURL_CIPHERS);
if (x($opts,'accept_content')){ if (x($opts,'accept_content')){
curl_setopt($ch,CURLOPT_HTTPHEADER, array ( @curl_setopt($ch,CURLOPT_HTTPHEADER, array (
"Accept: " . $opts['accept_content'] "Accept: " . $opts['accept_content']
)); ));
} }
if(x($opts,'headers')) if(x($opts,'headers'))
curl_setopt($ch, CURLOPT_HTTPHEADER, $opts['headers']); @curl_setopt($ch, CURLOPT_HTTPHEADER, $opts['headers']);
if(x($opts,'timeout') && intval($opts['timeout'])) { if(x($opts,'timeout') && intval($opts['timeout'])) {
@curl_setopt($ch, CURLOPT_TIMEOUT, $opts['timeout']); @curl_setopt($ch, CURLOPT_TIMEOUT, $opts['timeout']);
@ -172,11 +184,11 @@ function z_post_url($url,$params, $redirects = 0, $opts = array()) {
$prx = get_config('system','proxy'); $prx = get_config('system','proxy');
if(strlen($prx)) { if(strlen($prx)) {
curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1); @curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);
curl_setopt($ch, CURLOPT_PROXY, $prx); @curl_setopt($ch, CURLOPT_PROXY, $prx);
$prxusr = get_config('system','proxyuser'); $prxusr = get_config('system','proxyuser');
if(strlen($prxusr)) if(strlen($prxusr))
curl_setopt($ch, CURLOPT_PROXYUSERPWD, $prxusr); @curl_setopt($ch, CURLOPT_PROXYUSERPWD, $prxusr);
} }
// don't let curl abort the entire application // don't let curl abort the entire application
@ -185,7 +197,7 @@ function z_post_url($url,$params, $redirects = 0, $opts = array()) {
$s = @curl_exec($ch); $s = @curl_exec($ch);
$base = $s; $base = $s;
$curl_info = curl_getinfo($ch); $curl_info = @curl_getinfo($ch);
$http_code = $curl_info['http_code']; $http_code = $curl_info['http_code'];
$header = ''; $header = '';

4
mod/probe.php
View File

@ -20,13 +20,13 @@ function probe_content(&$a) {
if($res['success']) if($res['success'])
$j = json_decode($res['body'],true); $j = json_decode($res['body'],true);
else { else {
$o .= sprintf( t('Fetching URL returns error: $1%s'),$res['error'] . "\r\n\r\n"); $o .= sprintf( t('Fetching URL returns error: %1$s'),$res['error'] . "\r\n\r\n");
$o .= "<strong>https connection failed. Trying again with auto failover to http.</strong>\r\n\r\n"; $o .= "<strong>https connection failed. Trying again with auto failover to http.</strong>\r\n\r\n";
$res = zot_finger($addr,$channel,true); $res = zot_finger($addr,$channel,true);
if($res['success']) if($res['success'])
$j = json_decode($res['body'],true); $j = json_decode($res['body'],true);
else else
$o .= sprintf( t('Fetching URL returns error: $1%s'),$res['error'] . "\r\n\r\n"); $o .= sprintf( t('Fetching URL returns error: %1$s'),$res['error'] . "\r\n\r\n");
} }
if($j && $j['permissions'] && $j['permissions']['iv']) if($j && $j['permissions'] && $j['permissions']['iv'])

2
version.inc
View File

@ -1 +1 @@
2014-03-23.625 2014-03-24.626

7
view/en/htconfig.tpl
View File

@ -85,6 +85,13 @@ $a->config['system']['php_path'] = '{{$phpath}}';
$a->config['system']['directory_mode'] = DIRECTORY_MODE_NORMAL; $a->config['system']['directory_mode'] = DIRECTORY_MODE_NORMAL;
// libcurl default ciphers - Redhat and NSS based systems may use a different
// syntax. This indicates the ciphers we will accept when connecting to any
// https site. We want this to be as liberal as possible.
$a->config['system']['curl_ssl_ciphers'] = 'ALL:!eNULL';
// default system theme // default system theme
$a->config['system']['theme'] = 'redbasic'; $a->config['system']['theme'] = 'redbasic';