ssl ciphers - be liberal in what we accept, conservative in what we generate

2014-03-24 17:16:01 -07:00 · 2014-03-24 17:16:01 -07:00 · e6ea4a7574
commit e6ea4a7574
parent 592f5591d9
7 changed files with 42 additions and 17 deletions
--- a/.htaccess
+++ b/.htaccess
@ -1,7 +1,7 @@
 Options -Indexes
 AddType application/x-java-archive .jar
 AddType audio/ogg .oga
-#SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
+#SSLCipherSuite HIGH:AES256-SHA:AES128-SHA:RC4:!aNULL:!eNULL:!EDH

 # don't allow any web access to logfiles, even after rotation/compression
 <FilesMatch "\.(out|log|gz)$">
--- a/doc/To-Do-Code.md
+++ b/doc/To-Do-Code.md
@ -23,6 +23,10 @@ We need much more than this, but here are areas where developers can help. Pleas

 * (Advanced) create a UI for building Comanche pages

+* External post connectors - create standard interface
+
+* External post connectors, add popular services
+
 * templatise and translate the Web interface to webDAV

 * Extend WebDAV to provide desktop access to photo albums
--- a/doc/to_do_code.bb
+++ b/doc/to_do_code.bb
@ -28,7 +28,9 @@ We need much more than this, but here are areas where developers can help. Pleas

 [li]Extend WebDAV to provide desktop access to photo albums]/li]

-[li]Create a module PDL editor (separate from but integrated with the page layout editor) as a separate module. This will allow folks to view and alter the pre-defined layouts for any module in the system. If the custom module is removed or empty, revert to the system layout.   
+[li]External post connectors - create standard interface[/li]
+
+[li]External post connectors, add popular services[/li]

 [li]service classes - provide a pluggable subscription payment gateway for premium accounts[/li]

--- a/include/network.php
+++ b/include/network.php
@ -43,8 +43,14 @@ function z_fetch_url($url, $binary = false, $redirects = 0, $opts = array()) {
 	@curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
 	@curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; Red)");

+	$ciphers = @get_config('system','curl_ssl_ciphers');
+	if(! $ciphers)
+		$ciphers = 'ALL:!eNULL';
+
+	@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers);
+
 	if (x($opts,'accept_content')){
-		curl_setopt($ch,CURLOPT_HTTPHEADER, array (
+		@curl_setopt($ch,CURLOPT_HTTPHEADER, array (
 			"Accept: " . $opts['accept_content']
 		));
 	}
@ -138,21 +144,27 @@ function z_post_url($url,$params, $redirects = 0, $opts = array()) {
 	if(($redirects > 8) || (! $ch)) 
 		return ret;

-	curl_setopt($ch, CURLOPT_HEADER, true);
+	@curl_setopt($ch, CURLOPT_HEADER, true);
 	@curl_setopt($ch, CURLOPT_CAINFO, get_capath());
-	curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
-	curl_setopt($ch, CURLOPT_POST,1);
-	curl_setopt($ch, CURLOPT_POSTFIELDS,$params);
-	curl_setopt($ch, CURLOPT_USERAGENT, "Red");
+	@curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
+	@curl_setopt($ch, CURLOPT_POST,1);
+	@curl_setopt($ch, CURLOPT_POSTFIELDS,$params);
+	@curl_setopt($ch, CURLOPT_USERAGENT, "Red");
+
+	$ciphers = @get_config('system','curl_ssl_ciphers');
+	if(! $ciphers)
+		$ciphers = 'ALL:!eNULL';
+
+	@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, Z_CURL_CIPHERS);


 	if (x($opts,'accept_content')){
-		curl_setopt($ch,CURLOPT_HTTPHEADER, array (
+		@curl_setopt($ch,CURLOPT_HTTPHEADER, array (
 			"Accept: " . $opts['accept_content']
 		));
 	}
 	if(x($opts,'headers'))
-		curl_setopt($ch, CURLOPT_HTTPHEADER, $opts['headers']);
+		@curl_setopt($ch, CURLOPT_HTTPHEADER, $opts['headers']);

 	if(x($opts,'timeout') && intval($opts['timeout'])) {
 		@curl_setopt($ch, CURLOPT_TIMEOUT, $opts['timeout']);
@ -172,11 +184,11 @@ function z_post_url($url,$params, $redirects = 0, $opts = array()) {

 	$prx = get_config('system','proxy');
 	if(strlen($prx)) {
-		curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);
-		curl_setopt($ch, CURLOPT_PROXY, $prx);
+		@curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);
+		@curl_setopt($ch, CURLOPT_PROXY, $prx);
 		$prxusr = get_config('system','proxyuser');
 		if(strlen($prxusr))
-			curl_setopt($ch, CURLOPT_PROXYUSERPWD, $prxusr);
+			@curl_setopt($ch, CURLOPT_PROXYUSERPWD, $prxusr);
 	}

 	// don't let curl abort the entire application
@ -185,7 +197,7 @@ function z_post_url($url,$params, $redirects = 0, $opts = array()) {
 	$s = @curl_exec($ch);

 	$base = $s;
-	$curl_info = curl_getinfo($ch);
+	$curl_info = @curl_getinfo($ch);
 	$http_code = $curl_info['http_code'];

 	$header = '';
--- a/mod/probe.php
+++ b/mod/probe.php
@ -20,13 +20,13 @@ function probe_content(&$a) {
 		if($res['success'])
 			$j = json_decode($res['body'],true);
 		else {
-			$o .= sprintf( t('Fetching URL returns error: $1%s'),$res['error'] . "\r\n\r\n");
+			$o .= sprintf( t('Fetching URL returns error: %1$s'),$res['error'] . "\r\n\r\n");
 			$o .= "<strong>https connection failed. Trying again with auto failover to http.</strong>\r\n\r\n";
 			$res = zot_finger($addr,$channel,true);
 			if($res['success'])
 				$j = json_decode($res['body'],true);
 			else
-				$o .= sprintf( t('Fetching URL returns error: $1%s'),$res['error'] . "\r\n\r\n");
+				$o .= sprintf( t('Fetching URL returns error: %1$s'),$res['error'] . "\r\n\r\n");

 		}
 		if($j && $j['permissions'] && $j['permissions']['iv'])
--- a/version.inc
+++ b/version.inc
@ -1 +1 @@
-2014-03-23.625
+2014-03-24.626
--- a/view/en/htconfig.tpl
+++ b/view/en/htconfig.tpl
@ -85,6 +85,13 @@ $a->config['system']['php_path'] = '{{$phpath}}';

 $a->config['system']['directory_mode']  = DIRECTORY_MODE_NORMAL;

+
+// libcurl default ciphers - Redhat and NSS based systems may use a different
+// syntax. This indicates the ciphers we will accept when connecting to any
+// https site. We want this to be as liberal as possible.
+
+$a->config['system']['curl_ssl_ciphers'] = 'ALL:!eNULL';
+
 // default system theme

 $a->config['system']['theme'] = 'redbasic';