Opened 10 years ago

Closed 10 years ago

#4810 closed Enhancement (fixed)

Add environment variable options to have libcurl verify SSL certs

Reported by: infinity0 Owned by: jordan
Priority: Normal Milestone: 2.51
Component: libtransmission Version: 2.50
Severity: Normal Keywords: ssl cert verify


Currently, transmission switches off SSL cert verification for libcurl. This is a pain for someone who wants to communicate with the correct tracker securely, e.g. for a private torrent.

I've implemented it in the supplied patch, but it doesn't expose the behaviour in a user-friendly way - instead it simply logs some messages on how to use the feature. The main flaw is that invalid certs show up as "Could not connect to tracker", which may be a bit misleading.

If anyone is interested, my use case is encrypted backup over bittorrent. I'd like my bittorrent clients to know they are connecting to the correct tracker, before revealing the info hash to it.

The tracker assumes that everyone who presents the info_hash is implicitly authorized to obtain the data. The torrents are distributed out-of-band via SSH to the clients, and I have switched off DHT/PEX/etc. So the only hole left is if someone MITMs the clients, pretending to be the tracker, to try to trick them into revealing the info_hash.

(I also have other access restrictions on the tracker, such as IP checking, but these are only "soft" controls.)

Attachments (1)

curl_ssl_verify.patch (1.8 KB) - added by infinity0 10 years ago.

Download all attachments as: .zip

Change History (3)

Changed 10 years ago by infinity0

comment:1 Changed 10 years ago by jordan

  • Milestone changed from None Set to 2.60
  • Status changed from new to assigned

comment:2 Changed 10 years ago by jordan

  • Milestone changed from 2.60 to 2.51
  • Resolution set to fixed
  • Status changed from assigned to closed

I've applied this patch in r13245 with a couple of trivial changes: (1) I made curl_ca_bundle a const field, and (2) only invoke curl_easy_setopt(CURLOPT_CAINFO) if the verify flag is TRUE. If I've broken anything with these tweaks, please let me know -- I don't have an SSL tracker to test with. :)

Thanks for the patch.

Note: See TracTickets for help on using tickets.