From 7375e305060df3818f01a96fbbd811921468ad89 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Tue, 25 Mar 2014 15:19:18 -0700
Subject: This should be a slight improvement in setting ciphers - we'll punt
 on RedHat but open up the list just for openssl distros which seem to have
 all the problems at the moment.

---
 boot.php             |  2 +-
 include/network.php  | 12 ++++--------
 install/update.php   | 11 +++++++++--
 mod/setup.php        | 19 +++++++++++++++++++
 view/en/htconfig.tpl |  7 -------
 5 files changed, 33 insertions(+), 18 deletions(-)

diff --git a/boot.php b/boot.php
index a5a48b2bf..4c024309b 100755
--- a/boot.php
+++ b/boot.php
@@ -47,7 +47,7 @@ define ( 'RED_PLATFORM',            'Red Matrix' );
 define ( 'RED_VERSION',             trim(file_get_contents('version.inc')) . 'R');
 define ( 'ZOT_REVISION',            1     ); 
 
-define ( 'DB_UPDATE_VERSION',       1103  );
+define ( 'DB_UPDATE_VERSION',       1104  );
 
 define ( 'EOL',                    '<br />' . "\r\n"     );
 define ( 'ATOM_TIME',              'Y-m-d\TH:i:s\Z' );
diff --git a/include/network.php b/include/network.php
index 14771d88f..9f68328b7 100644
--- a/include/network.php
+++ b/include/network.php
@@ -44,10 +44,8 @@ function z_fetch_url($url, $binary = false, $redirects = 0, $opts = array()) {
 	@curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; Red)");
 
 	$ciphers = @get_config('system','curl_ssl_ciphers');
-	if(! $ciphers)
-		$ciphers = 'ALL:!eNULL';
-
-	@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers);
+	if($ciphers)
+		@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers);
 
 	if (x($opts,'accept_content')){
 		@curl_setopt($ch,CURLOPT_HTTPHEADER, array (
@@ -152,10 +150,8 @@ function z_post_url($url,$params, $redirects = 0, $opts = array()) {
 	@curl_setopt($ch, CURLOPT_USERAGENT, "Red");
 
 	$ciphers = @get_config('system','curl_ssl_ciphers');
-	if(! $ciphers)
-		$ciphers = 'ALL:!eNULL';
-
-	@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers);
+	if($ciphers)
+		@curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $ciphers);
 
 
 	if (x($opts,'accept_content')){
diff --git a/install/update.php b/install/update.php
index 11b1c1da6..06a60db79 100644
--- a/install/update.php
+++ b/install/update.php
@@ -1,6 +1,6 @@
 <?php
 
-define( 'UPDATE_VERSION' , 1103 );
+define( 'UPDATE_VERSION' , 1104 );
 
 /**
  *
@@ -1158,4 +1158,11 @@ function update_r1102() {
 		intval(ABOOK_FLAG_UNCONNECTED)
 	);
 	return UPDATE_SUCCESS;
-}
\ No newline at end of file
+}
+
+function update_r1103() {
+	$x = curl_version();
+	if(stristr($x['ssl_version'],'openssl'))
+		set_config('system','curl_ssl_ciphers','ALL:!eNULL');
+	return UPDATE_SUCCESS;
+}
diff --git a/mod/setup.php b/mod/setup.php
index 83317dc4c..02c2268ce 100755
--- a/mod/setup.php
+++ b/mod/setup.php
@@ -605,9 +605,28 @@ function what_next() {
 	$a = get_app();
 	// install the standard theme
 	set_config('system','allowed_themes','redbasic');
+
+	// Set a lenient list of ciphers if using openssl. Other ssl engines
+	// (e.g. NSS used in RedHat) require different syntax, so hopefully 
+	// the default curl cipher list will work for most sites. If not, 
+	// this can set via config. Many distros are now disabling RC4,
+	// but many Red sites still use it and are unable to change it.
+	// We do not use SSL for encryption, only to protect session cookies.
+	// z_fetch_url() is also used to import shared links and other content 
+	// so in theory most any cipher could show up and we should do our best
+	// to make the content available rather than tell folks that there's a 
+	// weird SSL error which they can't do anything about. 
+
+	$x = curl_version();
+	if(stristr($x['ssl_version'],'openssl'))
+		set_config('system','curl_ssl_ciphers','ALL:!eNULL');
+
+
 	// Create a system channel
 	require_once ('include/identity.php');
 	create_sys_channel();	
+
+
 	$baseurl = $a->get_baseurl();
 	return 
 		t('<h1>What next</h1>')
diff --git a/view/en/htconfig.tpl b/view/en/htconfig.tpl
index 8e2d32433..840e7a124 100644
--- a/view/en/htconfig.tpl
+++ b/view/en/htconfig.tpl
@@ -85,13 +85,6 @@ $a->config['system']['php_path'] = '{{$phpath}}';
 
 $a->config['system']['directory_mode']  = DIRECTORY_MODE_NORMAL;
 
-
-// libcurl default ciphers - Redhat and NSS based systems may use a different
-// syntax. This indicates the ciphers we will accept when connecting to any
-// https site. We want this to be as liberal as possible.
-
-$a->config['system']['curl_ssl_ciphers'] = 'ALL:!eNULL';
-
 // default system theme
 
 $a->config['system']['theme'] = 'redbasic';
-- 
cgit v1.2.3