View Issue Details

IDProjectCategoryView StatusLast Update
0001827unrealircdpublic2015-08-08 18:26
ReporterDukePyrolator Assigned Tosyzop  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionno change required 
Summary0001827: remote includes with ssl and self signed server certificates
Description*** Notice -- error: unrealircd.conf:15: include: error downloading 'https://***/network.conf': SSL certificate problem, verify that the CA cert is OK

I use a self signed certificate.
Is there a way to disable the certificat checking in remote includes?

include "" { insecure; };

Additional InformationReleaseID ( 2004/05/18 21:17:29)
libcurl/7.11.0 OpenSSL/0.9.7d zlib/1.2.1
TagsNo tags attached.
3rd party modules


has duplicate 0002756 resolvedstskeeps SSL and Remote includes 



2004-05-22 14:56

reporter   ~0006374

Last edited: 2004-05-22 14:56

I found a solution for my "problem"

I added following line to url.c/set_curl_ssl_options
     curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);

perhaps you can make a config option for it? I think I'm not the only user with self signed ssl-certificates.

bearbeitet am: 2004-05-22 14:56


2004-05-22 19:36

reporter   ~0006379

I suppose I could make that tap into set::ssl::options to determine whether to allow it or not.


2004-05-23 00:06

reporter   ~0006387

I think its not a SSL option, its a CURL option.
look at, there are some more options who should included in Unreal.

--digest Enables HTTP Digest authentication
--cert use the specified certificate file when getting a file with HTTPS
--cacert use the specified certificate file to verify the peer
--ftp-ssl Make the FTP connection switch to use SSL/TLS. (Added in 7.11.0)
--insecure Tell libcurl to *not* verify the peer.
--config Specify which config file to read curl arguments from


2004-05-23 00:11

reporter   ~0006388

Yes, it's a curl option, but it is only valid for SSL, and so it is an SSL setting.


2005-02-25 00:37

reporter   ~0009298

any news on it?
I dont want to modify each unreal version to make it work on my network. :(


2005-02-25 10:18

administrator   ~0009301

hm.. why not just add the certificates? :P. Much more secure, and then you don't need to modify your unreal :P. Or did I miss anything...


2005-02-25 10:52

reporter   ~0009304

I have a self-signed ssl certificate.
A certificate signed by an offical CA costs a lot of money.


2005-02-25 11:03

administrator   ~0009305

yeah I know, but...
oh self-signed... so you cannot directly add that? fun :p
Well let me explain what I did on my network: I just created my own CA, and sign server certificates with that. AFAIK you can simply do the same with https SSL certificates.. And then you could just add that CA to curl :p.


2005-02-25 11:49

reporter   ~0009306

[quote]yeah I know, but...
oh self-signed... so you cannot directly add that? fun :p
Well let me explain what I did on my network: I just created my own CA, and sign server certificates with that. AFAIK you can simply do the same with https SSL certificates.. And then you could just add that CA to curl[/quote]
And there is always which does the same thing.


2007-04-19 04:39

reporter   ~0013593

Bump. Is this still valid? Patch?


2007-12-16 17:55

reporter   ~0014909

i still have problems with remote includes in self signed server certificates.

I'm using libcurl/7.17.1 OpenSSL/0.9.8a zlib/1.2.3 c-ares/1.4.0 libidn/0.6.0.
(Unreal 3.2.7)

include ""; results in: "Could not resolve host" (http:// is working)

My Modification from 2004 (CURLOPT_SSL_VERIFYPEER, FALSE) does not work.


2012-11-13 20:26

reporter   ~0017233

I have come across the issue that curl will not accept a self signed certificate. Anyway we can make an option for this?


2012-12-15 20:36

administrator   ~0017261

We could.
I was about to suggest set::curl::verify-certificate [yes|no]? (with the default of yes), but.. when I was writing that I realized there's a problem: the configuration isn't parsed until all remote includes have been fetched ;)
We could make it a ./Config option I guess.
Or parse the main config file for exactly this setting before we process remote includes, but that sounds quite hackish.


2013-02-15 08:18

reporter   ~0017418

The way I overcame this issue with remote includes was to just add my CA certificate for the webserver to curl-ca-bundle.crt in the Unreal folder. If you're using self-signed you can just add the webserver's certificate instead to the file.


2013-02-19 22:47

administrator   ~0017426

Yeah, that's the current way to do it :)
Remember that accepting any certificate (which is basically what Cronus and DukePyrolator are asking) is insecure. It permits man-in-the-middle (MITM) attacks where an attacker can intercept communication between the ircd and the https server and inject - for example - a configuration file of his choosing, thus grantin him oper access etc. Even worse, if the attacker has a local account on the same box the ircd is running on, then he could create a module in /tmp for example and make it load through this technique and run any code of his choosing.

So this would definitely never be the default.

The question is if we should make a ./Config option for this, or rather ./Config -advanced. It would be fine by me, I guess. Another option is include/config.h. We generally use that latter for options we advise against.


2013-02-20 00:27

reporter   ~0017428

I'd prefer to see this in include/config.h IF we opt to implement it, because:

* We advise against it (see Syzop's comments).
* There is a secure workaround (add cert to curl-ca-bundle.crt).
* It isn't a very widespread issue (as in this is the first or second time I have seen it since remote includes were added).


2013-02-20 02:56

reporter   ~0017429

I would prefer a ./Config option. Using a few Windows IRCd. Making it a config.h setting wouldn't be best.


2013-02-20 03:26

reporter   ~0017430

A ./Config option wouldn't help you on Windows either, the IRCd would need to be compiled either way :P


2013-02-20 03:27

reporter   ~0017431

Oh right, its late forgive me. I'll simplify it, make it work on the windows versions too!


2015-08-08 18:26

administrator   ~0018644

shouldn't use self-signed, can add to ca certificate bundle, see previous comment from me & all the other issues in previous comments.

Issue History

Date Modified Username Field Change
2004-05-21 00:52 DukePyrolator New Issue
2004-05-22 14:56 DukePyrolator Note Added: 0006374
2004-05-22 14:56 DukePyrolator Note Edited: 0006374
2004-05-22 19:36 codemastr Note Added: 0006379
2004-05-23 00:06 DukePyrolator Note Added: 0006387
2004-05-23 00:11 codemastr Note Added: 0006388
2005-02-25 00:37 DukePyrolator Note Added: 0009298
2005-02-25 10:18 syzop Note Added: 0009301
2005-02-25 10:52 DukePyrolator Note Added: 0009304
2005-02-25 11:03 syzop Note Added: 0009305
2005-02-25 11:49 codemastr Note Added: 0009306
2007-04-19 04:39 stskeeps Note Added: 0013593
2007-04-27 03:10 stskeeps Status new => feedback
2007-04-27 03:44 stskeeps Relationship added has duplicate 0002756
2007-12-16 17:55 DukePyrolator Note Added: 0014909
2012-11-13 20:26 Cronus Note Added: 0017233
2012-12-15 20:36 syzop Note Added: 0017261
2013-02-15 08:18 wolfwood Note Added: 0017418
2013-02-19 22:47 syzop Note Added: 0017426
2013-02-20 00:27 Stealth Note Added: 0017428
2013-02-20 02:56 Cronus Note Added: 0017429
2013-02-20 03:26 Stealth Note Added: 0017430
2013-02-20 03:27 Cronus Note Added: 0017431
2015-08-08 18:26 syzop Note Added: 0018644
2015-08-08 18:26 syzop Status feedback => closed
2015-08-08 18:26 syzop Assigned To => syzop
2015-08-08 18:26 syzop Resolution open => no change required