From 447ab4e80fdb5ed4e6e099bd582dd2085041378c Mon Sep 17 00:00:00 2001 From: Reuben Thomas Date: Mon, 10 Jul 2023 14:58:39 +0300 Subject: [PATCH] Remove abilility to configure curl's CA file, path, and SSL validation --- ChangeLog.md | 5 ++++- ddclient.in | 12 ------------ 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 3e88b8f9..605abeec 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -8,7 +8,10 @@ repository history](https://github.com/ddclient/ddclient/commits/master). ### Breaking changes * ddclient no longer runs as a daemon. Running via cron is recommended. - * ddclient now requires curl. + * ddclient now requires curl. The CA certificates path/file cannot be + configured in ddclient, and SSL validation cannot be insecure. If you + require any of these, configure ddclient to use a shell script that + calls curl. * ddclient no longer has built-in support for IP detection via routers and firewalls. * ddclient no longer ships any example files for init systems that use `/etc/init.d`. diff --git a/ddclient.in b/ddclient.in index 6800ce7f..b4d82e28 100755 --- a/ddclient.in +++ b/ddclient.in @@ -204,8 +204,6 @@ my %variables = ( 'geturl' => setv(T_STRING,0, 0, '', undef), 'postscript' => setv(T_POSTS, 0, 0, '', undef), - 'ssl_ca_dir' => setv(T_FILE, 0, 0, undef, undef), - 'ssl_ca_file' => setv(T_FILE, 0, 0, undef, undef), }, 'service-common-defaults' => { 'server' => setv(T_FQDNP, 1, 0, 'members.dyndns.org', undef), @@ -221,7 +219,6 @@ my %variables = ( 'ifv6' => setv(T_IF, 0, 0, 'default', undef), 'web' => setv(T_STRING,0, 0, 'dyndns', undef), 'web-skip' => setv(T_STRING,0, 0, '', undef), - 'web-ssl-validate' => setv(T_BOOL, 0, 0, 1, undef), 'webv4' => setv(T_STRING,0, 0, 'googledomains', undef), 'webv4-skip' => setv(T_STRING,1, 0, '', undef), 'webv6' => setv(T_STRING,0, 0, 'googledomains', undef), @@ -776,9 +773,6 @@ my @opt = ( ["options", "=s", "-options =[,=,...]\n : optional per-service arguments (see below)"], "", ["ssl", "!", "-{no}ssl : do updates over encrypted SSL connection"], - ["ssl_ca_dir", "=s", "-ssl_ca_dir : look in for certificates of trusted certificate authorities (default: auto-detect)"], - ["ssl_ca_file", "=s", "-ssl_ca_file : look at for certificates of trusted certificate authorities (default: auto-detect)"], - ["web-ssl-validate", "!","-{no}web-ssl-validate : Validate SSL certificate when retrieving IP address from web"], ["retry", "!", "-{no}retry : retry failed updates"], ["force", "!", "-{no}force : force an update even if the update may be unnecessary"], ["timeout", "=i", "-timeout : when fetching a URL, wait at most seconds for a response"], @@ -2201,9 +2195,6 @@ sub geturl { } else { push(@curlopt, "silent"); push(@curlopt, "include"); ## Include HTTP response for compatibility - push(@curlopt, "insecure") if ($use_ssl && !($params{ssl_validate} // 1)); - push(@curlopt, "cacert=\"".escape_curl_param(opt('ssl_ca_file')).'"') if defined(opt('ssl_ca_file')); - push(@curlopt, "capath=\"".escape_curl_param(opt('ssl_ca_dir')).'"') if defined(opt('ssl_ca_dir')); push(@curlopt, "ipv4") if ($ipversion == 4); push(@curlopt, "ipv6") if ($ipversion == 6); push(@curlopt, "user-agent=\"".escape_curl_param("${program}/${version}").'"'); @@ -2292,7 +2283,6 @@ sub get_ip { $reply = geturl( proxy => opt('proxy', $h), url => $url, - ssl_validate => opt('web-ssl-validate', $h), ) // ''; } @@ -2668,7 +2658,6 @@ sub get_ipv4 { $reply = geturl( proxy => opt('proxy', $h), url => $url, ipversion => 4, # when using a URL to find IPv4 address we should force use of IPv4 - ssl_validate => opt('ssl-validate', $h), ) // ''; } @@ -2768,7 +2757,6 @@ sub get_ipv6 { proxy => opt('proxy'), url => $url, ipversion => 6, # when using a URL to find IPv6 address we should force use of IPv6 - ssl_validate => opt('ssl-validate', $h), ) // ''; }