diff options
| author | friendica <info@friendica.com> | 2014-03-25 15:19:18 -0700 |
|---|---|---|
| committer | friendica <info@friendica.com> | 2014-03-25 15:19:18 -0700 |
| commit | 7375e305060df3818f01a96fbbd811921468ad89 (patch) | |
| tree | 71cd4ebb6ef0bd7fa4434ef6868e141bca84c0b3 | |
| parent | f14596b1ebeecf2c75939374136c830e44dbd923 (diff) | |
| download | volse-hubzilla-7375e305060df3818f01a96fbbd811921468ad89.tar.gz volse-hubzilla-7375e305060df3818f01a96fbbd811921468ad89.tar.bz2 volse-hubzilla-7375e305060df3818f01a96fbbd811921468ad89.zip | |
This should be a slight improvement in setting ciphers - we'll punt on RedHat but open up the list just for openssl distros which seem to have all the problems at the moment.
| -rwxr-xr-x | boot.php | 2 | ||||
| -rw-r--r-- | include/network.php | 12 | ||||
| -rw-r--r-- | install/update.php | 11 | ||||
| -rwxr-xr-x | mod/setup.php | 19 | ||||
| -rw-r--r-- | view/en/htconfig.tpl | 7 |
5 files changed, 33 insertions, 18 deletions
@@ -47,7 +47,7 @@ define ( 'RED_PLATFORM', 'Red Matrix' ); define ( 'RED_VERSION', trim(file_get_contents('version.inc')) . 'R'); define ( 'ZOT_REVISION', 1 ); -define ( 'DB_UPDATE_VERSION', 1103 ); +define ( 'DB_UPDATE_VERSION', 1104 ); define ( 'EOL', '<br />' . "\r\n" ); define ( 'ATOM_TIME', 'Y-m-d\TH:i:s\Z' ); diff --git a/include/network.php b/include/network.php index 14771d88f..9f68328b7 100644 --- a/include/network.php +++ b/include/network.php @@ -44,10 +44,8 @@ function z_fetch_url($url, $binary = false, $redirects = 0, $opts = array()) { @curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; Red)"); $ciphers = @get_config('system','curl_ssl_ciphers'); - if(! $ciphers) - $ciphers = 'ALL:!eNULL'; - - @curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers); + if($ciphers) + @curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers); if (x($opts,'accept_content')){ @curl_setopt($ch,CURLOPT_HTTPHEADER, array ( @@ -152,10 +150,8 @@ function z_post_url($url,$params, $redirects = 0, $opts = array()) { @curl_setopt($ch, CURLOPT_USERAGENT, "Red"); $ciphers = @get_config('system','curl_ssl_ciphers'); - if(! $ciphers) - $ciphers = 'ALL:!eNULL'; - - @curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers); + if($ciphers) + @curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers); if (x($opts,'accept_content')){ diff --git a/install/update.php b/install/update.php index 11b1c1da6..06a60db79 100644 --- a/install/update.php +++ b/install/update.php @@ -1,6 +1,6 @@ <?php -define( 'UPDATE_VERSION' , 1103 ); +define( 'UPDATE_VERSION' , 1104 ); /** * @@ -1158,4 +1158,11 @@ function update_r1102() { intval(ABOOK_FLAG_UNCONNECTED) ); return UPDATE_SUCCESS; -}
\ No newline at end of file +} + +function update_r1103() { + $x = curl_version(); + if(stristr($x['ssl_version'],'openssl')) + set_config('system','curl_ssl_ciphers','ALL:!eNULL'); + return UPDATE_SUCCESS; +} diff --git a/mod/setup.php b/mod/setup.php index 83317dc4c..02c2268ce 100755 --- a/mod/setup.php +++ b/mod/setup.php @@ -605,9 +605,28 @@ function what_next() { $a = get_app(); // install the standard theme set_config('system','allowed_themes','redbasic'); + + // Set a lenient list of ciphers if using openssl. Other ssl engines + // (e.g. NSS used in RedHat) require different syntax, so hopefully + // the default curl cipher list will work for most sites. If not, + // this can set via config. Many distros are now disabling RC4, + // but many Red sites still use it and are unable to change it. + // We do not use SSL for encryption, only to protect session cookies. + // z_fetch_url() is also used to import shared links and other content + // so in theory most any cipher could show up and we should do our best + // to make the content available rather than tell folks that there's a + // weird SSL error which they can't do anything about. + + $x = curl_version(); + if(stristr($x['ssl_version'],'openssl')) + set_config('system','curl_ssl_ciphers','ALL:!eNULL'); + + // Create a system channel require_once ('include/identity.php'); create_sys_channel(); + + $baseurl = $a->get_baseurl(); return t('<h1>What next</h1>') diff --git a/view/en/htconfig.tpl b/view/en/htconfig.tpl index 8e2d32433..840e7a124 100644 --- a/view/en/htconfig.tpl +++ b/view/en/htconfig.tpl @@ -85,13 +85,6 @@ $a->config['system']['php_path'] = '{{$phpath}}'; $a->config['system']['directory_mode'] = DIRECTORY_MODE_NORMAL; - -// libcurl default ciphers - Redhat and NSS based systems may use a different -// syntax. This indicates the ciphers we will accept when connecting to any -// https site. We want this to be as liberal as possible. - -$a->config['system']['curl_ssl_ciphers'] = 'ALL:!eNULL'; - // default system theme $a->config['system']['theme'] = 'redbasic'; |