fix: check peers certificate when using https transport

fmoessbauer · fmoessbauer · commit a9f89a227a33 · 2020-09-27T16:17:22.000+02:00
Previously, the peers certificate identity was not checked.
By that, man-in-the-middle attacks where possible by using
self signed certificates.

The fix removes the CURLOPT_SSL_VERIFYPEER=0 configuration,
so that the CURL default is used and the certificate is properly
checked.
diff --git a/src/HTTP.cxx b/src/HTTP.cxx
@@ -77,7 +77,6 @@ void HTTP::initCurl(const std::string &url)
   }
   writeHandle = curl_easy_init();
   curl_easy_setopt(writeHandle, CURLOPT_URL, writeUrl.c_str());
-  curl_easy_setopt(writeHandle, CURLOPT_SSL_VERIFYPEER, 0);
   curl_easy_setopt(writeHandle, CURLOPT_CONNECTTIMEOUT, 10);
   curl_easy_setopt(writeHandle, CURLOPT_TIMEOUT, 10);
   curl_easy_setopt(writeHandle, CURLOPT_POST, 1);
@@ -97,7 +96,6 @@ void HTTP::initCurlRead(const std::string &url)
   mReadUrl = url + "&q=";
   mReadUrl.insert(mReadUrl.find('?'), "/query");
   readHandle = curl_easy_init();
-  curl_easy_setopt(readHandle, CURLOPT_SSL_VERIFYPEER, 0);
   curl_easy_setopt(readHandle, CURLOPT_CONNECTTIMEOUT, 10);
   curl_easy_setopt(readHandle, CURLOPT_TIMEOUT, 10);
   curl_easy_setopt(readHandle, CURLOPT_TCP_KEEPIDLE, 120L);
@@ -128,12 +126,6 @@ void HTTP::enableBasicAuth(const std::string &auth)
   curl_easy_setopt(readHandle, CURLOPT_USERPWD, auth.c_str());
 }
 
-void HTTP::enableSsl()
-{
-  curl_easy_setopt(readHandle, CURLOPT_SSL_VERIFYPEER, 0L);
-  curl_easy_setopt(writeHandle, CURLOPT_SSL_VERIFYPEER, 0L);
-}
-
 void HTTP::send(std::string &&lineprotocol)
 {
   CURLcode response;
@@ -206,7 +198,6 @@ void HTTP::createDatabase()
 
   CURL *createHandle = curl_easy_init();
   curl_easy_setopt(createHandle, CURLOPT_URL, createUrl.c_str());
-  curl_easy_setopt(createHandle, CURLOPT_SSL_VERIFYPEER, 0);
   curl_easy_setopt(createHandle, CURLOPT_CONNECTTIMEOUT, 10);
   curl_easy_setopt(createHandle, CURLOPT_TIMEOUT, 10);
   curl_easy_setopt(createHandle, CURLOPT_POST, 1);
diff --git a/src/HTTP.h b/src/HTTP.h
@@ -61,9 +61,6 @@ class HTTP : public Transport
   /// \param auth <username>:<password>
   void enableBasicAuth(const std::string &auth);
 
-  /// Enable SSL
-  void enableSsl();
-
   /// Get the database name managed by this transport
   [[nodiscard]] std::string databaseName() const;
 
diff --git a/src/InfluxDBFactory.cxx b/src/InfluxDBFactory.cxx
@@ -72,11 +72,6 @@ std::unique_ptr<Transport> withHttpTransport(const http::url &uri)
   {
     transport->enableBasicAuth(uri.user + ":" + uri.password);
   }
-
-  if (uri.protocol == "https")
-  {
-    transport->enableSsl();
-  }
   return transport;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -72,11 +72,6 @@ std::unique_ptr<Transport> withHttpTransport(const http::url &uri)`
`72`	`72`	`{`
`73`	`73`	`transport->enableBasicAuth(uri.user + ":" + uri.password);`
`74`	`74`	`}`
`75`		`-`
`76`		`- if (uri.protocol == "https")`
`77`		`- {`
`78`		`- transport->enableSsl();`
`79`		`- }`
`80`	`75`	`return transport;`
`81`	`76`	`}`
`82`	`77`