Problem/Motivation

Composer has a disable-tls setting. I believe it's documented incorrectly. Rather than downgrading https requests to http, I think it can also use https requests (when PHP's OpenSSL extension is available), but not verify the SSL certificates. Failing to verify SSL certificates creates just as much of an adversary-in-the-middle vulnerability as not using https at all.

The contrib Package Manager module does not operate, and reports an error, when disable-tls is enabled. The purpose of this core policy issue is to confirm if that's the right decision for core.

In #3351190: [policy, no patch] Should Package Manager require Composer HTTPS?, we identified several reasons why someone might want to set disable-tls to true, but we think that none of those reasons warrant Drupal core's package manager supporting that:

  • Someone might not have PHP's OpenSSL extension installed, but in #3364565: [policy, no patch] Make PHP's OpenSSL extension a requirement for installing and using Package Manager (and therefore, Automatic Updates and Project Browser) the decision so far is to not support that.
  • Someone might not have a CA (certificate authority) root certificates bundle on their host system with which to validate certificates, but Composer covers this case by including such a bundle from Mozilla and using it as a fallback (see #3351190-18: [policy, no patch] Should Package Manager require Composer HTTPS?).
  • Someone might have a CA bundle on their host system, but an out of date one that's unable to verify certificates from drupal.org, packagist.org, github.com, or other required pacakage repositories. However, in this case, they can configure Composer to use the Composer provided CA bundle instead.
  • Someone might have a site using packages from a local or institutional packagist that's using self-signed certificates that can't be verified with either their host's CA bundle or with Composer's included CA bundle. However, in this case, they can add a custom CA bundle for verifying their self-signed certificates to their Composer configuration.

In other words, as far as we know, there's no legitimate reason to use disable-tls other than the expediency of not wanting to apply one of the proper solutions above. Meanwhile, allowing Package Manager to run with the disable-tls setting would expose the site to compromise with respect to the packages that don't have TUF protection (i.e., the dependencies not in the drupal/ namespace).

Proposed resolution

Retain Package Manager's existing behavior of requiring Composer's disable-tls setting to not be enabled.

Remaining tasks

Confirmation from product, framework, and release managers that it's okay for Drupal core's Automatic Updates to not run for sites that set disable-tls.

Comments

effulgentsia created an issue. See original summary.

effulgentsia’s picture

effulgentsia commented
Issue summary: View changes

Filled in the issue summary.

effulgentsia’s picture

effulgentsia commented
Issue tags: +Needs product manager review, +Needs framework manager review, +Needs release manager review
effulgentsia’s picture

effulgentsia commented
Status: Active » Needs review

Now that the IS is filled out, and since this is a policy issue with no patch needed, setting to Needs review.

catch’s picture

catch
he/him
Primary language English
commented

I agree with the issue summary, the use case seems much more specialised and unnecessary than not having the SSL extension available at all.

smustgrave’s picture

smustgrave commented
Category: Task » Plan

Believe this falls under Plan. The linked issue was also a plan so assume this would be too.

drumm’s picture

drumm
he/him
Location NY, US
commented

We have gotten very few support requests lately about attempting to connect to Drupal.org with outdated CA bundles. It may have been over a year since the last time I can remember fielding that type of support request. Either everyone's installations have better CA bundles, people know how to update when they see it, we aren't hearing about it when there are problems, or Composer's fallback bundle is helping.

catch’s picture

catch
he/him
Primary language English
commented

One suggestion:

Start off disallowing disable-tls altogether.

Open a follow-up issue to monitor for reports of people having problems with it, then on the basis of that, we could look into allowing it (possibly with a status report warning etc.) if it's a problem.

Seems easier to make it looser later, e.g. in a minor release, than to make it stricter later.

The drawback is if people have problems but don't report them to us, but would think even if that happens we'd get enough reports to notice.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
commented
Issue tags: -Needs product manager review

#8 seems like a good approach from my point of view. Similar to #3364565-25: [policy, no patch] Make PHP's OpenSSL extension a requirement for installing and using Package Manager (and therefore, Automatic Updates and Project Browser), what's important from the product perspective is that we have clear messages when then requirements are not met, and documentation for how users may try to get make their environment compatible.

catch’s picture

catch
he/him
Primary language English
commented
Status: Needs review » Reviewed & tested by the community
Issue tags: -Needs release manager review

For all the same reasons as #3364565: [policy, no patch] Make PHP's OpenSSL extension a requirement for installing and using Package Manager (and therefore, Automatic Updates and Project Browser) I'm going to remove the release manager review here and mark this RTBC. It would be good if a framework manager who's not me could also remove that tag or otherwise comment.

Per #3398995: [PP-1] [policy] Allow package manager to work without openssl and/or a valid certificate bundle if we TUF-proxy packagist and github on Drupal.org, or if packagist enables TUF itself, we might be in a better position to reverse this decision later on. However for now it gives us a starting point where we can make things less restrictive rather than more restrictive later, (if the assumptions in the issue summary that this particular setting should be easy to resolve for any sites that hit it are false).

effulgentsia’s picture

effulgentsia commented
Issue tags: -Needs framework manager review

I opened this issue, so I'm biased, but since other committers have also +1'd it, I think it's okay for me to also provide the framework manager signoff, so removing that tag.

Leaving at RTBC for at least a few days to give people a chance to object before marking it fixed.

catch’s picture

catch
he/him
Primary language English
commented
Related issues: +#3398995: [PP-1] [policy] Allow package manager to work without openssl and/or a valid certificate bundle
catch’s picture

catch
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Fixed

Going ahead and marking this fixed per the above, as well as the general agreement on #3364565: [policy, no patch] Make PHP's OpenSSL extension a requirement for installing and using Package Manager (and therefore, Automatic Updates and Project Browser), since it's been RTBC for over three weeks now and all sign-offs have been done. We have #3398995: [PP-1] [policy] Allow package manager to work without openssl and/or a valid certificate bundle to discuss this further if it turns out to cause problems for people after all.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

quietone’s picture

quietone commented
Version: 11.x-dev » 10.2.x-dev

Changing to latest version when this was closed.