Remove abilility to configure curl's CA file, path, and SSL validation

rrthomas · Jul 10, 2023 · 447ab4e · 447ab4e
1 parent f7b0488
commit 447ab4e
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 13 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -8,7 +8,10 @@ repository history](https://github.com/ddclient/ddclient/commits/master).
 ### Breaking changes
 
   * ddclient no longer runs as a daemon. Running via cron is recommended.
-  * ddclient now requires curl.
+  * ddclient now requires curl. The CA certificates path/file cannot be
+    configured in ddclient, and SSL validation cannot be insecure. If you
+    require any of these, configure ddclient to use a shell script that
+    calls curl.
   * ddclient no longer has built-in support for IP detection via routers and
     firewalls.
   * ddclient no longer ships any example files for init systems that use `/etc/init.d`.

diff --git a/ddclient.in b/ddclient.in
@@ -204,8 +204,6 @@ my %variables = (
         'geturl'              => setv(T_STRING,0, 0, '',                   undef),
 
         'postscript'          => setv(T_POSTS, 0, 0, '',                   undef),
-        'ssl_ca_dir'          => setv(T_FILE,  0, 0, undef,                undef),
-        'ssl_ca_file'         => setv(T_FILE,  0, 0, undef,                undef),
     },
     'service-common-defaults' => {
         'server'              => setv(T_FQDNP, 1, 0, 'members.dyndns.org', undef),
@@ -221,7 +219,6 @@ my %variables = (
         'ifv6'                => setv(T_IF,    0, 0, 'default',            undef),
         'web'                 => setv(T_STRING,0, 0, 'dyndns',             undef),
         'web-skip'            => setv(T_STRING,0, 0, '',                   undef),
-        'web-ssl-validate'    => setv(T_BOOL,  0, 0, 1,                    undef),
         'webv4'               => setv(T_STRING,0, 0, 'googledomains',      undef),
         'webv4-skip'          => setv(T_STRING,1, 0, '',                   undef),
         'webv6'               => setv(T_STRING,0, 0, 'googledomains',      undef),
@@ -776,9 +773,6 @@ my @opt = (
     ["options",           "=s", "-options <opt>=<val>[,<opt>=<val>,...]\n                        : optional per-service arguments (see below)"],
     "",
     ["ssl",               "!",  "-{no}ssl              : do updates over encrypted SSL connection"],
-    ["ssl_ca_dir",        "=s", "-ssl_ca_dir <dir>     : look in <dir> for certificates of trusted certificate authorities (default: auto-detect)"],
-    ["ssl_ca_file",       "=s", "-ssl_ca_file <file>   : look at <file> for certificates of trusted certificate authorities (default: auto-detect)"],
-    ["web-ssl-validate",  "!","-{no}web-ssl-validate   : Validate SSL certificate when retrieving IP address from web"],
     ["retry",             "!",  "-{no}retry            : retry failed updates"],
     ["force",             "!",  "-{no}force            : force an update even if the update may be unnecessary"],
     ["timeout",           "=i", "-timeout <max>        : when fetching a URL, wait at most <max> seconds for a response"],
@@ -2201,9 +2195,6 @@ sub geturl {
     } else {
         push(@curlopt, "silent");
         push(@curlopt, "include"); ## Include HTTP response for compatibility
-        push(@curlopt, "insecure") if ($use_ssl && !($params{ssl_validate} // 1));
-        push(@curlopt, "cacert=\"".escape_curl_param(opt('ssl_ca_file')).'"') if defined(opt('ssl_ca_file'));
-        push(@curlopt, "capath=\"".escape_curl_param(opt('ssl_ca_dir')).'"') if defined(opt('ssl_ca_dir'));
         push(@curlopt, "ipv4") if ($ipversion == 4);
         push(@curlopt, "ipv6") if ($ipversion == 6);
         push(@curlopt, "user-agent=\"".escape_curl_param("${program}/${version}").'"');
@@ -2292,7 +2283,6 @@ sub get_ip {
             $reply = geturl(
                 proxy => opt('proxy', $h),
                 url => $url,
-                ssl_validate => opt('web-ssl-validate', $h),
             ) // '';
         }
 
@@ -2668,7 +2658,6 @@ sub get_ipv4 {
             $reply = geturl( proxy => opt('proxy', $h),
                 url => $url,
                 ipversion => 4, # when using a URL to find IPv4 address we should force use of IPv4
-                ssl_validate => opt('ssl-validate', $h),
             ) // '';
         }
 
@@ -2768,7 +2757,6 @@ sub get_ipv6 {
                 proxy => opt('proxy'),
                 url => $url,
                 ipversion => 6, # when using a URL to find IPv6 address we should force use of IPv6
-                ssl_validate => opt('ssl-validate', $h),
             ) // '';
         }