Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-9724

All of the payment processors make curl requests with CURLOPT_SSL_VERIFYPEER set to false

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Major
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.1.0
          • Fix Version/s: 4.2.0
          • Component/s: CiviContribute
          • Labels:
            None

            Description

            All CiviCRM payment processors set CURLOPT_SSL_VERIFYPEER to false when making curl requests to https servers. This is because curl ships with it's own list of CAs and it used to be a really bad list, so valid certificates would fail all the time. Now curl ships with a much better list of CAs, and it's safe to set CURLOPT_SSL_VERIFYPEER to true. I have tested all of the URLs that all of the payment processors make requests to, and they all pass except for https://www.sandbox.paypal.com/.

            We should make verifying SSL certificates an option that defaults to yes in CiviCRM.

            The attached php_curl_ssl.php is a script that makes curl requests to CiviCRM payment processor URLs with CURLOPT_SSL_VERIFYPEER set to true.

              Attachments

                Activity

                  People

                  • Assignee:
                    micah Micah Lee
                    Reporter:
                    micah Micah Lee
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: