HTTPS security fixes: Use TLS instead of SSL v3; actually verify server certificate. #12
Conversation
SSLv3 has known security vulnerabilities. Dropbox is going to disable SSLv3 soon, so switch to TLS.
| I don't really know anything about CodeIgniter and am not currently set up to test this change. I believe it's a relatively safe change, but I'd appreciate it if you could test it out. |
cakoose changed the title Before this, the server's certificates were not verified, which is insecure. This change turns on certificate verification and uses the "root" certificate list from the official Dropbox SDK for PHP.
| @jimdoescode: Is there a chance this will get merged soon? Dropbox is going to disable SSLv3 in a week or so. |
| Sorry, for some reason I no longer get emails for pull requests from this project. Where does the certificate come from? I'm a little hesitant to include a certificate if it's not provided by Dropbox. |
| Oh, good point. This certificate list should match up exactly with the one in the official Dropbox SDKs. For example, here's the one in the official PHP SDK: https://github.com/dropbox/dropbox-sdk-php/blob/master/lib/Dropbox/certs/trusted-certs.crt |
| Oh gotcha. I'll test this out over the weekend and merge. Thanks for the heads up! |
| I've confirmed this pull request works. |
HTTPS security fixes: Use TLS instead of SSL v3; actually verify server certificate.
| Thanks brotha @ryne-andal |
3 participants
SSLv3 has known security vulnerabilities. Dropbox is going to disable
SSLv3 soon, so switch to TLS.