Add warning when using HTTPS with mod_curl

mod_curl currently does not verify the authenticity of the peer's certificate, and does not verify whether the common name on the certificate matches the server. This makes mod_curl initiated TLS connections completely insecure. We should fix this, but until we do, we'll warn people that it's not doing what they may think it is. ref: http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html ref: http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html

Add warning when using HTTPS with mod_curl
mod_curl currently does not verify the authenticity of the peer's certificate, and does not verify whether the common name on the certificate matches the server. This makes mod_curl initiated TLS connections completely insecure. We should fix this, but until we do, we'll warn people that it's not doing what they may think it is. ref: http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html ref: http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
b2f59dd2 · Travis Cross · 6d1469d2 · b2f59dd2
--- a/src/mod/applications/mod_curl/mod_curl.c
+++ b/src/mod/applications/mod_curl/mod_curl.c
@@ -194,6 +194,7 @@ static http_data_t *do_lookup_url(switch_memory_pool_t *pool, const char *url, c
 	}

 	if (!strncasecmp(url, "https", 5)) {
+		switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "Not verifying TLS cert for %s; connection is not secure\n", url);
 		switch_curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYPEER, 0);
 		switch_curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYHOST, 0);
 	}
@@ -357,6 +358,7 @@ static void http_sendfile_initialize_curl(http_sendfile_data_t *http_data)
 	
 	if (!strncasecmp(http_data->url, "https", 5))
 	{
+		switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "Not verifying TLS cert for %s; connection is not secure\n", http_data->url);
 		curl_easy_setopt(http_data->curl_handle, CURLOPT_SSL_VERIFYPEER, 0);
 		curl_easy_setopt(http_data->curl_handle, CURLOPT_SSL_VERIFYHOST, 0);
 	}