ssl_verify_host option in config (default is true)

diff --git a/lib/default.php b/lib/default.php
index 465a5142a3bcb55ee2795a8a249e5c0f60297e79..b0d530bd4d2ac919f8f41dcdb5c28a541f2e8212 100644 (file)
--- a/lib/default.php
+++ b/lib/default.php
@@ -345,7 +345,8 @@ $default =
               'maxurllength' => 100,
               'maxnoticelength' => -1),
         'http' => // HTTP client settings when contacting other sites
-        array('ssl_cafile' => false, // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt')
+        array('ssl_cafile' => false, // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt') (this activates "ssl_verify_peer")
+              'ssl_verify_host' => true,    // HTTPRequest2 makes sure this is set to CURLOPT_SSL_VERIFYHOST==2 if using curl
               'curl' => false, // Use CURL backend for HTTP fetches if available. (If not, PHP's socket streams will be used.)
               'proxy_host' => null,
               'proxy_port' => null,

diff --git a/lib/httpclient.php b/lib/httpclient.php
index 960cd400f4247284cfd3199c5858af8fe865d6e9..3e9f5d3ea746c562c9e5f6d42767d02cf389379b 100644 (file)
--- a/lib/httpclient.php
+++ b/lib/httpclient.php
@@ -145,6 +145,10 @@ class HTTPClient extends HTTP_Request2
             $this->config['ssl_verify_peer'] = false;
         }
 
+        // This means "verify the cert hostname against what we connect to", it does not
+        // imply CA trust or anything like that. Just the hostname.
+        $this->config['ssl_verify_host'] = common_config('http', 'ssl_verify_host');
+
         if (common_config('http', 'curl') && extension_loaded('curl')) {
             $this->config['adapter'] = 'HTTP_Request2_Adapter_Curl';
         }