ssl ciphers - be liberal in what we accept, conservative in what we generate

7 files changed, 42 insertions, 17 deletions

diff --git a/.htaccess b/.htaccess
index 7f752018c..39fd89e04 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,7 +1,7 @@
 Options -Indexes
 AddType application/x-java-archive .jar
 AddType audio/ogg .oga
-#SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
+#SSLCipherSuite HIGH:AES256-SHA:AES128-SHA:RC4:!aNULL:!eNULL:!EDH
 
 # don't allow any web access to logfiles, even after rotation/compression
 <FilesMatch "\.(out|log|gz)$">
diff --git a/doc/To-Do-Code.md b/doc/To-Do-Code.md
index 58ecd18c6..fe5ec1842 100644
--- a/doc/To-Do-Code.md
+++ b/doc/To-Do-Code.md
@@ -23,6 +23,10 @@ We need much more than this, but here are areas where developers can help. Pleas
 
 * (Advanced) create a UI for building Comanche pages
 
+* External post connectors - create standard interface
+
+* External post connectors, add popular services
+
 * templatise and translate the Web interface to webDAV
 
 * Extend WebDAV to provide desktop access to photo albums
diff --git a/doc/to_do_code.bb b/doc/to_do_code.bb
index ac337e5d8..fc2c2082d 100644
--- a/doc/to_do_code.bb
+++ b/doc/to_do_code.bb
@@ -28,7 +28,9 @@ We need much more than this, but here are areas where developers can help. Pleas
 

 [li]Extend WebDAV to provide desktop access to photo albums]/li]

 

-[li]Create a module PDL editor (separate from but integrated with the page layout editor) as a separate module. This will allow folks to view and alter the pre-defined layouts for any module in the system. If the custom module is removed or empty, revert to the system layout.   

+[li]External post connectors - create standard interface[/li]

+

+[li]External post connectors, add popular services[/li]

 

 [li]service classes - provide a pluggable subscription payment gateway for premium accounts[/li]

 

diff --git a/include/network.php b/include/network.php
index 7fc3d835e..0bf05c0f0 100644
--- a/include/network.php
+++ b/include/network.php
@@ -43,8 +43,14 @@ function z_fetch_url($url, $binary = false, $redirects = 0, $opts = array()) {
 	@curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
 	@curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; Red)");
 
+	$ciphers = @get_config('system','curl_ssl_ciphers');
+	if(! $ciphers)
+		$ciphers = 'ALL:!eNULL';
+
+	@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers);
+
 	if (x($opts,'accept_content')){
-		curl_setopt($ch,CURLOPT_HTTPHEADER, array (
+		@curl_setopt($ch,CURLOPT_HTTPHEADER, array (
 			"Accept: " . $opts['accept_content']
 		));
 	}
@@ -138,21 +144,27 @@ function z_post_url($url,$params, $redirects = 0, $opts = array()) {
 	if(($redirects > 8) || (! $ch)) 
 		return ret;
 
-	curl_setopt($ch, CURLOPT_HEADER, true);
+	@curl_setopt($ch, CURLOPT_HEADER, true);
 	@curl_setopt($ch, CURLOPT_CAINFO, get_capath());
-	curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
-	curl_setopt($ch, CURLOPT_POST,1);
-	curl_setopt($ch, CURLOPT_POSTFIELDS,$params);
-	curl_setopt($ch, CURLOPT_USERAGENT, "Red");
+	@curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
+	@curl_setopt($ch, CURLOPT_POST,1);
+	@curl_setopt($ch, CURLOPT_POSTFIELDS,$params);
+	@curl_setopt($ch, CURLOPT_USERAGENT, "Red");
+
+	$ciphers = @get_config('system','curl_ssl_ciphers');
+	if(! $ciphers)
+		$ciphers = 'ALL:!eNULL';
+
+	@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, Z_CURL_CIPHERS);
 
 
 	if (x($opts,'accept_content')){
-		curl_setopt($ch,CURLOPT_HTTPHEADER, array (
+		@curl_setopt($ch,CURLOPT_HTTPHEADER, array (
 			"Accept: " . $opts['accept_content']
 		));
 	}
 	if(x($opts,'headers'))
-		curl_setopt($ch, CURLOPT_HTTPHEADER, $opts['headers']);
+		@curl_setopt($ch, CURLOPT_HTTPHEADER, $opts['headers']);
 
 	if(x($opts,'timeout') && intval($opts['timeout'])) {
 		@curl_setopt($ch, CURLOPT_TIMEOUT, $opts['timeout']);
@@ -172,11 +184,11 @@ function z_post_url($url,$params, $redirects = 0, $opts = array()) {
 
 	$prx = get_config('system','proxy');
 	if(strlen($prx)) {
-		curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);
-		curl_setopt($ch, CURLOPT_PROXY, $prx);
+		@curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);
+		@curl_setopt($ch, CURLOPT_PROXY, $prx);
 		$prxusr = get_config('system','proxyuser');
 		if(strlen($prxusr))
-			curl_setopt($ch, CURLOPT_PROXYUSERPWD, $prxusr);
+			@curl_setopt($ch, CURLOPT_PROXYUSERPWD, $prxusr);
 	}
 
 	// don't let curl abort the entire application
@@ -185,7 +197,7 @@ function z_post_url($url,$params, $redirects = 0, $opts = array()) {
 	$s = @curl_exec($ch);
 
 	$base = $s;
-	$curl_info = curl_getinfo($ch);
+	$curl_info = @curl_getinfo($ch);
 	$http_code = $curl_info['http_code'];
 
 	$header = '';
diff --git a/mod/probe.php b/mod/probe.php
index 5b226cb6a..8e0b60dcc 100644
--- a/mod/probe.php
+++ b/mod/probe.php
@@ -20,13 +20,13 @@ function probe_content(&$a) {
 		if($res['success'])
 			$j = json_decode($res['body'],true);
 		else {
-			$o .= sprintf( t('Fetching URL returns error: $1%s'),$res['error'] . "\r\n\r\n");
+			$o .= sprintf( t('Fetching URL returns error: %1$s'),$res['error'] . "\r\n\r\n");
 			$o .= "<strong>https connection failed. Trying again with auto failover to http.</strong>\r\n\r\n";
 			$res = zot_finger($addr,$channel,true);
 			if($res['success'])
 				$j = json_decode($res['body'],true);
 			else
-				$o .= sprintf( t('Fetching URL returns error: $1%s'),$res['error'] . "\r\n\r\n");
+				$o .= sprintf( t('Fetching URL returns error: %1$s'),$res['error'] . "\r\n\r\n");
 
 		}
 		if($j && $j['permissions'] && $j['permissions']['iv'])
diff --git a/version.inc b/version.inc
index e3203e51d..a63c71f59 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2014-03-23.625
+2014-03-24.626
diff --git a/view/en/htconfig.tpl b/view/en/htconfig.tpl
index 840e7a124..8e2d32433 100644
--- a/view/en/htconfig.tpl
+++ b/view/en/htconfig.tpl
@@ -85,6 +85,13 @@ $a->config['system']['php_path'] = '{{$phpath}}';
 
 $a->config['system']['directory_mode']  = DIRECTORY_MODE_NORMAL;
 
+
+// libcurl default ciphers - Redhat and NSS based systems may use a different
+// syntax. This indicates the ciphers we will accept when connecting to any
+// https site. We want this to be as liberal as possible.
+
+$a->config['system']['curl_ssl_ciphers'] = 'ALL:!eNULL';
+
 // default system theme
 
 $a->config['system']['theme'] = 'redbasic';