Skip to content

Commit

Permalink
fix: check peers certificate when using https transport
Browse files Browse the repository at this point in the history 
Previously, the peers certificate identity was not checked.
By that, man-in-the-middle attacks where possible by using
self signed certificates.

The fix removes the CURLOPT_SSL_VERIFYPEER=0 configuration,
so that the CURL default is used and the certificate is properly
checked.
  • Loading branch information
@fmoessbauer
fmoessbauer committed Sep 27, 2020
1 parent 7384aa7 commit a9f89a2
Show file tree
Hide file tree
Showing 3 changed files with 0 additions and 17 deletions.
9 changes: 0 additions & 9 deletions src/HTTP.cxx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,6 @@ void HTTP::initCurl(const std::string &url)
}
writeHandle = curl_easy_init();
curl_easy_setopt(writeHandle, CURLOPT_URL, writeUrl.c_str());
curl_easy_setopt(writeHandle, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(writeHandle, CURLOPT_CONNECTTIMEOUT, 10);
curl_easy_setopt(writeHandle, CURLOPT_TIMEOUT, 10);
curl_easy_setopt(writeHandle, CURLOPT_POST, 1);
Expand All @@ -97,7 +96,6 @@ void HTTP::initCurlRead(const std::string &url)
mReadUrl = url + "&q=";
mReadUrl.insert(mReadUrl.find('?'), "/query");
readHandle = curl_easy_init();
curl_easy_setopt(readHandle, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(readHandle, CURLOPT_CONNECTTIMEOUT, 10);
curl_easy_setopt(readHandle, CURLOPT_TIMEOUT, 10);
curl_easy_setopt(readHandle, CURLOPT_TCP_KEEPIDLE, 120L);
Expand Down Expand Up @@ -128,12 +126,6 @@ void HTTP::enableBasicAuth(const std::string &auth)
curl_easy_setopt(readHandle, CURLOPT_USERPWD, auth.c_str());
}

void HTTP::enableSsl()
{
curl_easy_setopt(readHandle, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(writeHandle, CURLOPT_SSL_VERIFYPEER, 0L);
}

void HTTP::send(std::string &&lineprotocol)
{
CURLcode response;
Expand Down Expand Up @@ -206,7 +198,6 @@ void HTTP::createDatabase()

CURL *createHandle = curl_easy_init();
curl_easy_setopt(createHandle, CURLOPT_URL, createUrl.c_str());
curl_easy_setopt(createHandle, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(createHandle, CURLOPT_CONNECTTIMEOUT, 10);
curl_easy_setopt(createHandle, CURLOPT_TIMEOUT, 10);
curl_easy_setopt(createHandle, CURLOPT_POST, 1);
Expand Down
3 changes: 0 additions & 3 deletions src/HTTP.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,6 @@ class HTTP : public Transport
/// \param auth <username>:<password>
void enableBasicAuth(const std::string &auth);

/// Enable SSL
void enableSsl();

/// Get the database name managed by this transport
[[nodiscard]] std::string databaseName() const;

Expand Down
5 changes: 0 additions & 5 deletions src/InfluxDBFactory.cxx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,11 +72,6 @@ std::unique_ptr<Transport> withHttpTransport(const http::url &uri)
{
transport->enableBasicAuth(uri.user + ":" + uri.password);
}

if (uri.protocol == "https")
{
transport->enableSsl();
}
return transport;
}

Expand Down

0 comments on commit a9f89a2

Please sign in to comment.