Skip to content

fix: enable TLS certificate verification in FileTransporter#97

Open
alessandro-bitetto wants to merge 2 commits into
Euro-Office:mainfrom
alessandro-bitetto:fix/tls-verify-filetransporter
Open

fix: enable TLS certificate verification in FileTransporter#97
alessandro-bitetto wants to merge 2 commits into
Euro-Office:mainfrom
alessandro-bitetto:fix/tls-verify-filetransporter

Conversation

@alessandro-bitetto

Copy link
Copy Markdown

Summary

The cURL-based file transporter (Common/Network/FileTransporter/src/FileTransporter_curl.cpp) disabled TLS peer certificate verification on Linux — CURLOPT_SSL_VERIFYPEER, 0L — for both downloads (DownloadData) and uploads (UploadData). The original comment justified it with "Linux doesn't have root certificates built into the system".

That premise is no longer true: every mainstream distribution ships a system CA bundle (e.g. /etc/ssl/certs). The only effect of the bypass was to make all HTTPS transfers vulnerable to man-in-the-middle attacks — including uploads, which can carry document data.

Changes

  • Remove the #if defined(__linux__) blocks that set CURLOPT_SSL_VERIFYPEER, 0L at both call sites.
  • Explicitly enable CURLOPT_SSL_VERIFYPEER, 1L and CURLOPT_SSL_VERIFYHOST, 2L so the secure default is documented in-place and cannot be silently reintroduced.

Notes / compatibility

  • These values are libcurl's defaults; setting them explicitly is for clarity and regression-safety.
  • If a deployment target genuinely lacks a default CA bundle, the correct fix is to provide one via CURLOPT_CAINFO / CURLOPT_CAPATH, not to disable verification. On such targets, affected HTTPS requests will now fail fast instead of proceeding insecurely.
  • The --no-check-certificate wget fallback in transport_external.h is left untouched: it is gated to OLD_MACOS_SYSTEM and outside the Linux code path.

@alessandro-bitetto alessandro-bitetto requested a review from a team as a code owner June 12, 2026 09:40
@alessandro-bitetto alessandro-bitetto requested review from rikled and removed request for a team June 12, 2026 09:40
The cURL-based file transporter disabled peer certificate verification on
Linux (CURLOPT_SSL_VERIFYPEER, 0L) for both downloads and uploads, based on
the outdated premise that "Linux doesn't have root certificates". Modern
distributions ship a system CA bundle, so this only served to make every
HTTPS transfer vulnerable to man-in-the-middle attacks — including uploads
that can carry document data.

Enable full verification explicitly (VERIFYPEER + VERIFYHOST) at both call
sites so the secure default is documented and cannot be silently
reintroduced. Platforms without a default CA bundle should configure one via
CURLOPT_CAINFO/CURLOPT_CAPATH rather than disabling verification.

Signed-off-by: Alessandro Bitetto <alessandro.bitetto@qodesrl.com>
@alessandro-bitetto alessandro-bitetto force-pushed the fix/tls-verify-filetransporter branch from 1ddb5e6 to 9a86ca2 Compare June 12, 2026 09:40
@juliusknorr juliusknorr requested a review from DmySyz June 12, 2026 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant