Sure! Verifying TLS certificates is explicitly disabled the file
src/mgr/curlhttpt.cpp
by the lines:
/* Disable checking host certificate */
curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false);
I've attached a patch for Sword SVN trunk which removed these lines. For
the Sword++ commit, see
https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6
J
On 26.06.2017 04:10, Greg Hellings wrote:
> Jaak,
>
> Can you provide a version of that patch for 1.7 (and 1.8, if there is a
> difference)? Or point me to where it lives? I will definitely wrap that
> into the packaging for Fedora and SuSE as it is absolutely inappropriate
> to have SSL checking skipped at the library level without it being a
> very explicit step for users.
>
> If Troy won't fix this glaring security hole, it can at least be fixed
> by the packagers. I would encourage any Debian and/or Ubuntu users to
> file bugs against Sword packaging in their environments (if their
> maintainer isn't here) and the same for any other distribution users.
>
> --Greg
>
> On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja <j...@ristioja.ee
> <mailto:j...@ristioja.ee>> wrote:
>
> Regarding TLS, I think the choice of whether to trust a self-signed
> certificate should explicitly be left to the user at run-time (e.g like
> browsers do), rather than blindly accepting any (even expired?)
> certificates.
>
> Regarding the other fix, frontends can (and already do) handle threading
> by themselves, but afaik even for a single-threaded process the
> callbacks accepted by Sword have no direct means to terminate the
> installation process (e.g. by return value, or via a another callback
> provided to the callback). So it seems that you're either saying that
>
> 1) Sword users have no means to terminate potentially long-running
> processes (and there's no plan to add such means), or
> 2) RemoteTransport::terminate() should never be called separately, but
> exclusively only from inside callbacks invoked by Sword.
>
> In the latter case, this should be made clear in the documentation.
>
> Blessings,
> J
>
> On 25.06.2017 21 <tel:25.06.2017%2021>:53, Troy A. Griffitts wrote:
> > We have included some of your patches in the past (thank you
> again), but
> > not these. The first is intentional. We want to work with self signed
> > certs if necessary. Non of our content is private, only the fact
> that a
> > user might access our server and for this, we ask all our frontends to
> > warn against this for persecuted countries. The second goes
> against our
> > policy in the library that all threading should be handled by the
> > client, not the library. The client should instantiate an
> InstallMgr in
> > its own thread and register threads are callbacks, if they wish to
> > install in the background. If we start trying to handle threading
> in the
> > library itself, it is a huge switch from current policy and depends on
> > support for threading in all our compilers. Easy enough to just
> > instantiate separate SWMgr instances per thread. But thank you for
> offering.
> > Troy
> >
> > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja
> <j...@ristioja.ee <mailto:j...@ristioja.ee>>
> > wrote:
> >
> > Hi Troy!
> >
> > It seems that no fixes from Sword++ were considered for
> inclusion in SVN
> > trunk, not even the two I explicitly proposed on this list in
> response
> > to the RC2 announcement: one fixing hangs in front ends and
> the other
> > fixing a pure security negligence which rendered SSL/TLS
> susceptible to
> > MitM attacks.
> >
> > ?!?!
> >
> > J
> >
> > On 25.06.2017 18 <tel:25.06.2017%2018>:51, Troy A. Griffitts
> wrote:
> >
> > Again, thank you to all the testers and reporters of problems
> > for the
> > previous RC and those who contributed fixes. Hopefully, this
> > will stand
> > any scrutiny and become 1.8.0. Please let me know if you have
> > any feedback.
> >
> >
> http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
> <http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz>
> >
> >
> > Included since last RC:
> >
> >
> ------------------------------------------------------------------------
> >
> > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
> > 2 lines
> >
> > Reworked strongs and lemma filters to better support any combo
> > of toggle
> > Added osisxhtml lemma type= support for other than Greek, Hebrew
> > strongs
> >
> ------------------------------------------------------------------------
> >
> > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
> > 3 lines
> >
> > moved examples/simple.cpp to
> examples/tasks/simpleverselookup.cpp
> >
> > also updated CMakeList.txt to build new examples
> >
> ------------------------------------------------------------------------
> >
> > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
> > 1 line
> >
> > added listbiblebooknames example
> >
> ------------------------------------------------------------------------
> >
> > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
> > 1 line
> >
> > added flatapi installmgr example
> >
> ------------------------------------------------------------------------
> >
> > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
> > 2 lines
> >
> > added Belarussian locale file
> >
> >
> ------------------------------------------------------------------------
> >
> > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
> > 1 line
> >
> > French translation update (Contrib. from Cyrille)
> >
> ------------------------------------------------------------------------
> >
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > sword-devel mailing list: sword-devel@crosswire.org
> <mailto:sword-devel@crosswire.org>
> > http://www.crosswire.org/mailman/listinfo/sword-devel
> <http://www.crosswire.org/mailman/listinfo/sword-devel>
> > Instructions to unsubscribe/change your settings at above page
> >
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > sword-devel mailing list: sword-devel@crosswire.org
> <mailto:sword-devel@crosswire.org>
> > http://www.crosswire.org/mailman/listinfo/sword-devel
> <http://www.crosswire.org/mailman/listinfo/sword-devel>
> > Instructions to unsubscribe/change your settings at above page
> >
> >
> > --
> > Sent from my Android device with K-9 Mail. Please excuse my brevity.
> >
> >
> > _______________________________________________
> > sword-devel mailing list: sword-devel@crosswire.org
> <mailto:sword-devel@crosswire.org>
> > http://www.crosswire.org/mailman/listinfo/sword-devel
> <http://www.crosswire.org/mailman/listinfo/sword-devel>
> > Instructions to unsubscribe/change your settings at above page
> >
>
>
> _______________________________________________
> sword-devel mailing list: sword-devel@crosswire.org
> <mailto:sword-devel@crosswire.org>
> http://www.crosswire.org/mailman/listinfo/sword-devel
> <http://www.crosswire.org/mailman/listinfo/sword-devel>
> Instructions to unsubscribe/change your settings at above page
>
>
>
>
> _______________________________________________
> sword-devel mailing list: sword-devel@crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>
commit 92813daed672ecd2a158638aa9a78d828e669e41
Author: Jaak Ristioja <j...@ristioja.ee>
Date: Mon Jun 26 10:29:53 2017 +0300
CURLHTTPTransport: Fixed MiTM, TLS peer certificate was not verified.
diff --git a/src/mgr/curlhttpt.cpp b/src/mgr/curlhttpt.cpp
index ce4ba087..089a3104 100644
--- a/src/mgr/curlhttpt.cpp
+++ b/src/mgr/curlhttpt.cpp
@@ -139,9 +139,6 @@ char CURLHTTPTransport::getURL(const char *destPath, const char *sourceURL, SWBu
/* Switch on full protocol/debug output */
curl_easy_setopt(session, CURLOPT_VERBOSE, true);
curl_easy_setopt(session, CURLOPT_CONNECTTIMEOUT, 45);
-
- /* Disable checking host certificate */
- curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false);
/* FTP connection settings */
_______________________________________________
sword-devel mailing list: sword-devel@crosswire.org
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
