Add warning when using HTTPS with mod_curl

mod_curl currently does not verify the authenticity of the peer's
certificate, and does not verify whether the common name on the
certificate matches the server.  This makes mod_curl initiated TLS
connections completely insecure.  We should fix this, but until we do,
we'll warn people that it's not doing what they may think it is.

ref: http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
ref: http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html

diff --git a/src/mod/applications/mod_curl/mod_curl.c b/src/mod/applications/mod_curl/mod_curl.c
index 61f9a78d2a0969d5b84a0134f2048bfb07c0ea74..bff5df864cbb22494bec28dbf113f19e64434cae 100644 (file)
--- a/src/mod/applications/mod_curl/mod_curl.c
+++ b/src/mod/applications/mod_curl/mod_curl.c
@@ -194,6 +194,7 @@ static http_data_t *do_lookup_url(switch_memory_pool_t *pool, const char *url, c
        }
 
        if (!strncasecmp(url, "https", 5)) {
+               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "Not verifying TLS cert for %s; connection is not secure\n", url);
                switch_curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYPEER, 0);
                switch_curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYHOST, 0);
        }
@@ -357,6 +358,7 @@ static void http_sendfile_initialize_curl(http_sendfile_data_t *http_data)
        
        if (!strncasecmp(http_data->url, "https", 5))
        {
+               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "Not verifying TLS cert for %s; connection is not secure\n", http_data->url);
                curl_easy_setopt(http_data->curl_handle, CURLOPT_SSL_VERIFYPEER, 0);
                curl_easy_setopt(http_data->curl_handle, CURLOPT_SSL_VERIFYHOST, 0);
        }