Improve HTTPS cert validation for appstore

[georgehrke]

make code use https interface of appstore and properly validate it's certificate

cc @karlitschek

[georgehrke]

related to #8808

[karlitschek]

yep. will do the next few days

[georgehrke]

@LukasReschke could you do me the favor and evaluate if it's enough to make this https or if there is a need to strengthen Util::getUrlContent()

[PVince81]

Setting to OC 7 CE

[georgehrke]

ping @LukasReschke

[LukasReschke]

I'll check this right away. Missed this one. sorry.

[georgehrke]

thanks :)

[LukasReschke]

We need to harden Util::getUrlContent() for this one. See the discussion on #7330 why PHP sucks on this and unfortunately I really didn't have the needed time to harden this as needed.

What has to be done:

1. Harden getUrlContent() similar as done by myself
2. Add a parameter verifyCert to getUrlContent (defaulting to false since PHP is really bad with SSL and this will break other stuff otherwise)
3. Add a cafile parameter which allows to use a custom CA file since using the system keystore in PHP is unreliable.
4. Package the publickey with ownCloud.
5. Set SNI_enabled to true (http://php.net/manual/en/context.ssl.php)
6. Set disable_compression to true when available (http://php.net/manual/en/context.ssl.php)
7. Write extensive unit tests ;-)

This requires proper testing on different PHP versions and with/without cURL installed.
Is this something you could take care of? That would be awesome!

\cc @karlitschek

[georgehrke]

This requires proper testing on different PHP versions and with/without cURL installed.
Is this something you could take care of? That would be awesome!

Isn't it enough to implement it, write a test and let jenkins take care of testing in different environments?

[LukasReschke]

Isn't it enough to implement it, write a test and let jenkins take care of testing in different environments?

No. Different PHP versions have an absolutely different behaviour regarding SSL, that's why we need Travis ;-) \cc @DeepDiver1975
Additionally we have to support cURL and plain PHP, oC will automatically use cURL if available (I guess the PHP one won't run on Jenkins therefore).
What would be possible is to refactor this into two different functions and write unit tests for both then :-)

[PVince81]

I wonder: are there that many environments where mod_curl is not available ? Do we still need to support that as well ?

[karlitschek]

@PVince81 Unfortunately we have to support this too. Shared hosters don´t have that installed sometimes.

[DeepDiver1975]

So what is the status here? OC7 is about to leave soon ...

[karlitschek]

will be done in the next 2 days

[MTRichards]

Ping?

[MTRichards]

are you done yet?

[karlitschek]

The SSL cert is done. I can see why an additional hard check against the actuall cert can be useful in some scenarios. But I´m not sure this is a showstopper for the release.

[MorrisJobke]

@karlitschek @craigpg Possible issue for first sprint?

[karlitschek]

actually I´m not sure if this should be very high on our priority list at the moment to be totally honest