Both the common parser and simplepie use Curl to download URL's, but on some servers CURL has a very finicky default behavior with SSL certificates, and this causes feedapi to fail when pointed at RSS feeds behind SSL. We needed this functionality on a recent site, and the following line adds it in when called in _parser_common_syndication_feedapi_get() and acting on the Curl handler: 

    curl_setopt($download, CURLOPT_SSL_VERIFYPEER, 0);

However, this needs a lot more work to 1) check whether this is possible without access to the actual Curl handler (I didn't see anything) and 2) if not, perhaps add it as an option or a set of options in CURL so that sites can enable this without marginally decreasing the security of feedapi users at large.

CommentFileSizeAuthor
#4 common_syndication_ssl_1_1.patch1.41 KBaron novak
#4 common_syndication_ssl_1_2.patch1.42 KBaron novak
common_syndication_ssl.patch636 bytesDavid Goode

Comments

aron novak’s picture

aron novak
Primary language Hungarian
Location Hungary, Budapest
commented
Status: Needs review » Fixed

There is a nice setting for common syndication parser to accept bogus SSL feeds, but only when it uses cURL to download the feeds.
For SimplePie, it's an issue with simplepie itself, i think :)

alex_b’s picture

alex_b commented
Assigned: Unassigned » aron novak
Status: Fixed » Needs work

Great. Some minor nitpicks:

http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/feedapi/par...

1)

_parser_common_syndication_download() accepts NULL but the calling code checks for the presence of settings. This can be cleaned up.

2)

"Accept invalid SSL certificates"

"Do not verify peer"

3)

"If you would like to get feeds secure sites what have invalid certificate, you need to turn this on."

"When the parser connects to an SSL protected resource it tries to validate the resource's SSL certificate. If this can't be done the feed download fails. Check this box to skip validation and accept any SSL certificate. Note that skipping validation can pose a security risk. See CURLOPT_SSL_VERIFYPEER."

alex_b’s picture

alex_b commented
Priority: Normal » Critical

This is release critical for 1.7.

aron novak’s picture

aron novak
Primary language Hungarian
Location Hungary, Budapest
commented
Status: Needs work » Needs review
StatusFileSize
new common_syndication_ssl_1_2.patch1.42 KB
new common_syndication_ssl_1_1.patch1.41 KB

1)
Well, correct me, if i am wrong, but at line 35 of parser_csp.module, there is no "checks for the presence of settings", this is to avoid PHP notice. Maybe $args[2] is undefined, not null.

I attached two patches.
1_1: "Do not verify peer"
1_2: ""Do not verify SSL peer" - the user should realize at first sight that this is related only to SSL, at the previous version, the small font sized text should be read

aron novak’s picture

aron novak
Primary language Hungarian
Location Hungary, Budapest
commented
Status: Needs review » Fixed

common_syndication_ssl_1_2.patch is in.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

aufumy’s picture

aufumy commented

For a dev server that I am working with, we need to set CURLOPT_SSL_VERIFYHOST to false as well.

Before realizing this issue, I worked on a similar patch with a different approach, instead of adding a checkbox to turn on/off CURLOPT_SSL_VERIFYPEER, a textbox is used to specify what dev servers to turn on/off the curl options.

http://drupal.org/node/523028