Skip to content

Commit

Permalink
Removed disable SSL peer verification
Browse files Browse the repository at this point in the history 
[Issue #14](#14) suggests man in the middle attack possible, removed disabling SSL peer verification in cURL options (it wasn't needed anyway).
  • Loading branch information
@J7mbo
J7mbo committed Jul 9, 2013
1 parent 2b2d0d9 commit a31eca4
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions TwitterAPIExchange.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @link http://github.com/j7mbo/twitter-api-php
*/
class TwitterAPIExchange
class TwitterAPIExchange
{
private $oauth_access_token;
private $oauth_access_token_secret;
Expand Down Expand Up @@ -193,8 +193,7 @@ public function performRequest($return = true)
CURLOPT_HTTPHEADER => $header,
CURLOPT_HEADER => false,
CURLOPT_URL => $this->url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false
CURLOPT_RETURNTRANSFER => true
);

if (!is_null($postfields))
Expand Down

2 comments on commit a31eca4

@brnpimentel
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with this commit (removing ssl_verifypeer) im getting error from curl:
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

@rdlowrey
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the expected behavior ... the problem is that disabling peer verification is incredibly insecure. Generally the curl extension has a valid CA file for verifying peers built-in. However if you're using an older version of PHP this may not be sufficient.

You'll need to set the CURLOPT_CAINFO option and pass it an absolute file path pointing to a valid CA file. You can download the cacert.pem file found here on the curl site. Perhaps the library could expose an optional setting to allow this sort of thing (or to disable verification -- not a good idea).

Either way, disabling peer verification is extremely irresponsible. If you're transfers are failing now, it means everything you were doing before was vulnerable to MitM (Man in the Middle) attack.

Please # to comment.