Use SSL by default in Internet::simpleCurl(), Internet::getURL() and Internet::postURL() #5850
Labels
Category: API
Related to the plugin API
Category: Core
Related to internal functionality
Type: Enhancement
Contributes features or other improvements to PocketMine-MP
Comments
dktapps
added
Category: API
|
Related to pmmp/PHP-Binaries#70 |
|
We could use https://github.com/composer/ca-bundle to solve this issue, which would allow fixing the problem without updating PHP binaries, as well as enabling us to use system SSL certificates on Linux and MacOS. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Many years ago, someone decided to use CURLOPT_VERIFYPEER = false in cURL invocations, as seen here:
PocketMine-MP/src/utils/Internet.php
Line 207 in 8dedbb7
This is a security risk, and users of these functions certainly don't expect a core API like this to behave in an unsafe manner.
However, fixing this is currently problematic, since SSL does not work with cURL on any platforms right now due to the lack of proper SSL certificate bundle configuration. This problem exists on both Windows and Linux, although Windows somehow knows to look at the system certificate store when using file_get_contents()...
Justification
Not using SSL is very 2010 and is a security risk.
Alternative methods
We could leave it disabled by default and add a parameter to enable SSL, but no one would use it, as PM's target developer audience is mostly adolescents who have no idea what SSL is in the first place.
The text was updated successfully, but these errors were encountered: