Drupal does not currently verify that SSL certificates use a trusted root cert. This affects any requests initiated with drupal_http_request. It also affects OpenID discovery and HTTPS redirects during that discovery.
This issue includes solutions for Drupal 8 and the Drupal 7 backport.
Given we use Guzzle now, utilize http://guzzle.readthedocs.org/en/latest/http-client/client.html#configur... to nominate the system certificate file as the default instead of that shipped with Guzzle. Anyone wanting to use their own can implement ServiceModifierInterface and nominate an absolute file path.
1) Verify SSL certificates using curl_verify_ssl_peer. This only works when PHP is compiled with cURL support.
One drawback to this approach is that cURL is not always available in shared host environments. Commenters indicated that cURL is a relatively standard feature, and this should not be as much of a factor when D8 is released.
2) Include in Drupal a bundle of X.509 certificates of public Certificate Authorities (CA) borrowed from the cURL library.
greggles mentioned in comment 24 that this might require rapid security advisories in the case of a compromised cert. Also, including certs in Drupal core would logically add a configuration requirement where admins could add new certs.
Get Drupal 8 patch in.
Backport to Drupal 7 - Comment #25 includes a patch using curl_verify_ssl_peer, but it requires testing.
Possibly backport to D6.
This could affect developers who use drupal_http_request to issue HTTPS requests against servers that do not have proper SSL certs. For example, HTTPS connections would fail when issued to an internal dev server that used a self-signed cert.
Wojtha just asked on IRC if certificates are verified. They are not.
Demo patch in a few mins.
Fixed
8.7 β°οΈ
Last updated
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
As per @izmeez, this issue was committed to D8 in #42, so changing the status to Fixed, so that the D8 patch contributors can get credits. In the meantime, D7 "backport" is discussed here: π Make SSL options configurable in drupal_http_request() Fixed , though it is a bit different approach now.
Automatically closed - issue fixed for 2 weeks with no activity.