Curl SSL/TLS trust chain verification should not be disabled

php

(Pierre-Loup Tristant) #1

Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.

Description
curl's versions of SSL/TLS protocols and cypher suites must be chosen carrefuly and should not be modified at runtime

Impact
Disabeling it exposes the communications to man-in-the-middle attacks.

Noncompliant Code Example

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);

Compliant Code Example

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);

References

Type
Vulnerability

Tags
cwe, owasp-a6


(Alexandre Gigleux) #2

Hello Pierre-Loup,

I created RSPEC-4830 and RSPEC-4831 from your rule suggestion.

I believe there is a typo in your Compliant Code.
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, true) should not be considered as safe because “true” is casted to ‘1’ which is not a secure configuration. CURLOPT_SSL_VERIFYHOST should be configured to ‘2’.

Thanks


(Pierre-Loup Tristant) #3

Rule as been added to sonarPHP.