From be5f9f2dceba7b67041295914169fcbbbb07e5fd Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Thu, 3 Sep 2020 10:35:23 +0200 Subject: When ssl_verify is false, decrease SSL security (#3171) When ssl_verify option is set to false for a feed, allow lower security such as SHA-1 signatures. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900984 https://stackoverflow.com/questions/58342699/php-curl-curl-error-35-error1414d172ssl-routinestls12-check-peer-sigalgwr Fix error of type `cURL error 35: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature` Example of feeds: https://www.version2.dk/it-nyheder/rss https://ing.dk/rss/nyheder --- app/Models/Entry.php | 3 +++ lib/lib_rss.php | 3 +++ 2 files changed, 6 insertions(+) diff --git a/app/Models/Entry.php b/app/Models/Entry.php index 75d8da12c..ed0c1245c 100644 --- a/app/Models/Entry.php +++ b/app/Models/Entry.php @@ -381,6 +381,9 @@ class FreshRSS_Entry extends Minz_Model { if (isset($attributes['ssl_verify'])) { curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $attributes['ssl_verify'] ? 2 : 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $attributes['ssl_verify'] ? true : false); + if (!$attributes['ssl_verify']) { + curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT@SECLEVEL=1'); + } } $html = curl_exec($ch); $c_status = curl_getinfo($ch, CURLINFO_HTTP_CODE); diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 8a58d2124..5c0a8a2bf 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -184,6 +184,9 @@ function customSimplePie($attributes = array()) { if (isset($attributes['ssl_verify'])) { $curl_options[CURLOPT_SSL_VERIFYHOST] = $attributes['ssl_verify'] ? 2 : 0; $curl_options[CURLOPT_SSL_VERIFYPEER] = $attributes['ssl_verify'] ? true : false; + if (!$attributes['ssl_verify']) { + $curl_options[CURLOPT_SSL_CIPHER_LIST] = 'DEFAULT@SECLEVEL=1'; + } } $simplePie->set_curl_options($curl_options); -- cgit v1.2.3