Merge pull request #57 from Kami/specify_curl_ssl_options_update_readme

Force older versions of cURL to verify server SSL certificate, update readme, add module version to the User-Agent header
2013-11-17 10:39:06 -08:00 · 2013-11-17 10:39:06 -08:00 · 2a5242b139
parent 7b9129caca f579d64076
commit 2a5242b139
2 changed files with 25 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -31,9 +31,8 @@ ZNC Push was created by [John Reese](http://johnmreese.com) and designed to fill
 personal need.  It may not fit your use cases, but any and all feedback would be greatly
 appreciated.

-
-Compiling
---------
+Dependencies
+------------

 If you have installed ZNC from a Linux distribution's repository, you will most likely
 need to install the development package before building this module. On Ubuntu, this can
@ -41,6 +40,17 @@ be installed with:

    $ sudo aptitude install znc-dev

+Optionally, if you want to use libcurl for http requests, you also need to install cURL
+development header files.
+
+On Ubuntu, development headers can be installed by installing `libcurl3-dev` or
+`libcurl4-openssl-dev` package:
+
+    $ sudo aptitude install libcurl4-openssl-dev
+
+Compiling
+---------
+
 If you have `make` installed, you can compile the module with:

    $ make
@ -59,13 +69,16 @@ If you would like to compile ZNC Push using libcurl for http requests, you must
 If libcurl is not in the default system library paths, you will need to populate `$CXXFLAGS`
 with the appropriate GCC flags so that it can find and link ZNC Push with libcurl.

+Note: You are strongly encouraged to use libcurl transport. The reason for that is, that
+the default CSocket transport doesn't verify server's SSL certificate which leaves you
+vulnerable to MITM attacks.

 Installation
 ------------

 Copy the compiled module into your ZNC profile:

-    $ cp push.so ~/.znc/modules/
+    $ make install

 Now, load the module in ZNC:

--- a/push.cpp
+++ b/push.cpp
@ -52,7 +52,7 @@ class CPushSocket : public CSocket
 			parent = (CPushMod*) p;
 			first = true;
 			crlf = "\r\n";
-			user_agent = "ZNC Push";
+			user_agent = "ZNC Push/" + CString(PUSHVERSION);
 		}

 		// Implemented after CPushMod
@ -1500,6 +1500,8 @@ CURLcode make_curl_request(const CString& service_host, const CString& service_u

 	curl = curl_easy_init();

+	CString user_agent = "ZNC Push/" + CString(PUSHVERSION);
+
 	CString url = CString(use_ssl ? "https" : "http") + "://" + service_host + service_url;
 	CString query = build_query_string(params);

@ -1508,9 +1510,12 @@ CURLcode make_curl_request(const CString& service_host, const CString& service_u
 		curl_easy_setopt(curl, CURLOPT_VERBOSE, 1);
 	}

+	curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
+	curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L);
+
 	curl_easy_setopt(curl, CURLOPT_URL, url.data());
 	curl_easy_setopt(curl, CURLOPT_PORT, port);
-	curl_easy_setopt(curl, CURLOPT_USERAGENT, "ZNC Push");
+	curl_easy_setopt(curl, CURLOPT_USERAGENT, user_agent.c_str());
 	curl_easy_setopt(curl, CURLOPT_TIMEOUT, 3); // three seconds ought to be good enough for anyone, eh?

 	if (service_auth != "")