[Kolab-devel] SSL configuration chaos for the HTTP_Request2 object

Daniel Hoffend dh at dotlan.net
Sun Aug 25 01:06:33 CEST 2013 

Hi,

I found some inconstinces and duplicated variables in the config section 
which
leads to a) confusion and b) possible errors since one of those versions 
doesn't
offer all needed configuration could be insecure. (kolab 3.1 alpha)

In this particular case it's about the usage of the HTTP_Request2 
Object. It's
used for using internal api between parts of kolab/roundcube. I came 
across
this issue when I conigured chwala/kobal_files and moved the web 
location to a
https url. It ended up with constant httpd errors telling me the ssl 
verification
has failed.

*

Digging into the code. I found 2 different ways how kolab code/plugins 
are
initializing the HTTP_Request2 object.

1)
https://git.kolab.org/kolab-chwala/tree/lib/kolab/plugins/libkolab/lib/kolab_storage_folder.php#n1104
https://git.kolab.org/roundcubemail-plugins-kolab/tree/plugins/kolab_files/lib/kolab_files_engine.php#n588

2)
http://git.kolab.org/kolab-chwala/tree/lib/file_ui_api.php#n69

Version 1: is configured multiple times but only contains the basic 
option
with a custom variable name "kolab_ssl_verify_peer" and nothing more. If 
you
plan to move kolab_files/chwala to a ssl site you need more options to 
securely
and correctly configure the HTTP_Request2.

Version 2: Looks pretty much complete and correct to me. All ssl related 
options
are available and can be defined via config.inc.php.

*

To configure a HTTP_Request2 Object and leave verify_peer=true it's 
needed to
set the ssl_cafile or capath (pointing to your system ca-bundle.crt). 
Just
turning of ssl checks (with 2 different config options) isn't the nice 
way.

You can found the HTTP_Request2 Object with the kolab_ssl_verify_peer 
option in
multiple plugins: chwala, kolab_files, calendar (freebusy), libkolab, 
...

In my eyes I would say it's worth refactoring this object usage. Having 
two
different ways to configure the HTTP_Request2 object with 2 different 
and even
incomplete config options is misleading and can cause frustration. At 
least
it did this on my side cause i  was spending multiple hours to figure 
out
why the ssl request internally failed.

*

I see 2 ways to go (if version 2 is the clean and prefered one)

1) duplicate the configure request function block into all places that 
are
    using to the HTTP_Request2 object
or
2) create some kind of wrapper object/function in a central 
location/module
    that returns the preconfigured HTTP_Request object.

The possible ssl settings can be included in the config.inc.php or 
kolab.inc.php
but uncommented aslong they're not needed. The kolab_ssl* options should 
go.

*

I don't know your preferences therefore i'm asking in advance, I'm
willing to create a git patch if needed/wanted.

Hope that helps

--
Regards,
Daniel

More information about the devel mailing list