Improved check for invalid certificates

This commit is contained in:
Michael 2022-07-16 08:27:38 +00:00
parent 896fd3fc91
commit abe3fd7605
4 changed files with 25 additions and 41 deletions

View file

@ -68,6 +68,13 @@ class HttpClient implements ICanSendHttpRequests
$this->profiler->startRecording('network');
$this->logger->debug('Request start.', ['url' => $url, 'method' => $method]);
$host = parse_url($url, PHP_URL_HOST);
if(!filter_var($host, FILTER_VALIDATE_IP) && !@dns_get_record($host . '.', DNS_A + DNS_AAAA)) {
$this->logger->debug('URL cannot be resolved.', ['url' => $url, 'callstack' => System::callstack(20)]);
$this->profiler->stopRecording();
return CurlResult::createErrorCurl($url);
}
if (Network::isLocalLink($url)) {
$this->logger->info('Local link', ['url' => $url, 'callstack' => System::callstack(20)]);
}
@ -125,6 +132,10 @@ class HttpClient implements ICanSendHttpRequests
$conf[RequestOptions::TIMEOUT] = $opts[HttpClientOptions::TIMEOUT];
}
if (isset($opts[HttpClientOptions::VERIFY])) {
$conf[RequestOptions::VERIFY] = $opts[HttpClientOptions::VERIFY];
}
if (!empty($opts[HttpClientOptions::BODY])) {
$conf[RequestOptions::BODY] = $opts[HttpClientOptions::BODY];
}

View file

@ -52,6 +52,12 @@ class HttpClientOptions
* content_length: (int) maximum File content length
*/
const CONTENT_LENGTH = 'content_length';
/**
* verify: (bool|string, default=true) Describes the SSL certificate
*/
const VERIFY = 'verify';
/**
* body: (mixed) Setting the body for sending data
*/

View file

@ -167,6 +167,10 @@ class CurlResult implements ICanHandleHttpResponses
$this->isSuccess = false;
}
if (empty($this->returnCode) && empty($this->header) && empty($this->body)) {
$this->isSuccess = false;
}
if (!$this->isSuccess) {
Logger::debug('debug', ['info' => $this->info]);
}

View file

@ -71,16 +71,17 @@ class Network
$xrd_timeout = DI::config()->get('system', 'xrd_timeout');
$host = parse_url($url, PHP_URL_HOST);
if (empty($host) || !(@dns_get_record($host . '.', DNS_A + DNS_AAAA + DNS_CNAME) || filter_var($host, FILTER_VALIDATE_IP))) {
if (empty($host) || !(filter_var($host, FILTER_VALIDATE_IP) || @dns_get_record($host . '.', DNS_A + DNS_AAAA))) {
return false;
}
if (in_array(parse_url($url, PHP_URL_SCHEME), ['https', 'http'])) {
$curlResult = DI::httpClient()->head($url, [HttpClientOptions::TIMEOUT => $xrd_timeout]);
$options = [HttpClientOptions::VERIFY => true, HttpClientOptions::TIMEOUT => $xrd_timeout];
$curlResult = DI::httpClient()->head($url, $options);
// Workaround for systems that can't handle a HEAD request. Don't retry on timeouts.
if (!$curlResult->isSuccess() && ($curlResult->getReturnCode() >= 400) && !in_array($curlResult->getReturnCode(), [408, 504])) {
$curlResult = DI::httpClient()->get($url, HttpClientAccept::DEFAULT, [HttpClientOptions::TIMEOUT => $xrd_timeout]);
$curlResult = DI::httpClient()->get($url, HttpClientAccept::DEFAULT, $options);
}
if (!$curlResult->isSuccess()) {
@ -91,44 +92,6 @@ class Network
}
}
// Check if the certificate is valid for this hostname
if (parse_url($url, PHP_URL_SCHEME) == 'https') {
$port = parse_url($url, PHP_URL_PORT) ?? 443;
$context = stream_context_create(["ssl" => ['capture_peer_cert' => true]]);
$resource = @stream_socket_client('ssl://' . $host . ':' . $port, $errno, $errstr, $xrd_timeout, STREAM_CLIENT_CONNECT, $context);
if (empty($resource)) {
Logger::notice('Invalid certificate', ['host' => $host]);
return false;
}
$cert = stream_context_get_params($resource);
if (empty($cert)) {
Logger::notice('Invalid certificate params', ['host' => $host]);
return false;
}
$certinfo = openssl_x509_parse($cert['options']['ssl']['peer_certificate']);
if (empty($certinfo)) {
Logger::notice('Invalid certificate information', ['host' => $host]);
return false;
}
$valid_from = date(DATE_RFC2822,$certinfo['validFrom_time_t']);
$valid_to = date(DATE_RFC2822,$certinfo['validTo_time_t']);
if ($certinfo['validFrom_time_t'] > time()) {
Logger::notice('Certificate validity starts after current date', ['host' => $host, 'from' => $valid_from, 'to' => $valid_to]);
return false;
}
if ($certinfo['validTo_time_t'] < time()) {
Logger::notice('Certificate validity ends before current date', ['host' => $host, 'from' => $valid_from, 'to' => $valid_to]);
return false;
}
}
return $url;
}