From 89e859d09248de6b1b9b9cdd652cb72c9f7ff098 Mon Sep 17 00:00:00 2001
From: xXx-caillou-xXx
Date: Wed, 29 Aug 2018 18:09:51 +0200
Subject: Change how we're validating certificates

---
 config/default.rules | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'config')

diff --git a/config/default.rules b/config/default.rules
index 6e443ea..6fac367 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -7,9 +7,6 @@ sp.disable_xxe.enable();
 # use SameSite on session cookie
 sp.cookie.name("PHPSESSID").samesite("lax");
 
-# Always verify certificates
-sp.curl_verify_certificates.enable();
-
 # Harden the `chmod` function
 sp.disable_function.function("chmod").param("mode").value_r("^[0-9]{2}[67]$").drop();
 
@@ -91,7 +88,13 @@ sp.disable_function.function("is_callable").param("var").value("passthru").drop(
 # sp.disable_function.function("mysqli_query").ret("FALSE").drop();
 # sp.disable_function.function("PDO::query").ret("FALSE").drop();
 
+# Ensure that certificates are properly verified
+sp.disable_function.function("curl_setopt").param("value").value("1").allow();
+sp.disable_function.function("curl_setopt").param("value").value("2").allow();
+# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER
+sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off.");
+sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off.");
+
 #File upload
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
 sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
-
-- 
cgit v1.3