Skip to content

Commit

Permalink
Remove abilility to configure curl's CA file, path, and SSL validation
Browse files Browse the repository at this point in the history
  • Loading branch information
rrthomas committed Jul 10, 2023
1 parent 642b418 commit 88197fd
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 23 deletions.
5 changes: 4 additions & 1 deletion ChangeLog.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,10 @@ repository history](https://github.com/ddclient/ddclient/commits/master).
### Breaking changes

* ddclient no longer runs as a daemon. Running via cron is recommended.
* ddclient now requires curl.
* ddclient now requires curl. The CA certificates path/file cannot be
configured in ddclient, and SSL validation cannot be insecure. If you
require any of these, configure ddclient to use a shell script that
calls curl.
* ddclient no longer has built-in support for IP detection via routers and
firewalls.
* ddclient no longer ships any example files for init systems that use `/etc/init.d`.
Expand Down
25 changes: 3 additions & 22 deletions ddclient.in
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,6 @@ my %variables = (
'timeout' => setv(T_DELAY, 0, 0, interval('120s'), interval('120s')),
'retry' => setv(T_BOOL, 0, 0, 0, undef),
'force' => setv(T_BOOL, 0, 0, 0, undef),
'ssl' => setv(T_BOOL, 0, 0, 0, undef),
'syslog' => setv(T_BOOL, 0, 0, 0, undef),
'facility' => setv(T_STRING,0, 0, 'daemon', undef),
'priority' => setv(T_STRING,0, 0, 'notice', undef),
Expand All @@ -204,8 +203,6 @@ my %variables = (
'geturl' => setv(T_STRING,0, 0, '', undef),

'postscript' => setv(T_POSTS, 0, 0, '', undef),
'ssl_ca_dir' => setv(T_FILE, 0, 0, undef, undef),
'ssl_ca_file' => setv(T_FILE, 0, 0, undef, undef),
},
'service-common-defaults' => {
'server' => setv(T_FQDNP, 1, 0, 'members.dyndns.org', undef),
Expand All @@ -221,7 +218,6 @@ my %variables = (
'ifv6' => setv(T_IF, 0, 0, 'default', undef),
'web' => setv(T_STRING,0, 0, 'dyndns', undef),
'web-skip' => setv(T_STRING,0, 0, '', undef),
'web-ssl-validate' => setv(T_BOOL, 0, 0, 1, undef),
'webv4' => setv(T_STRING,0, 0, 'googledomains', undef),
'webv4-skip' => setv(T_STRING,1, 0, '', undef),
'webv6' => setv(T_STRING,0, 0, 'googledomains', undef),
Expand Down Expand Up @@ -258,7 +254,6 @@ my %variables = (
'login' => setv(T_LOGIN, 0, 0, 0, 'unused', undef),
},
'dnsexit2-common-defaults' => {
'ssl' => setv(T_BOOL, 0, 0, 1, undef),
'server' => setv(T_FQDNP, 1, 0, 'api.dnsexit.com', undef),
'path' => setv(T_STRING, 0, 1, '/dns/', undef),
'record-type' => setv(T_STRING, 1, 0, 'A', undef),
Expand Down Expand Up @@ -776,9 +771,6 @@ my @opt = (
["options", "=s", "-options <opt>=<val>[,<opt>=<val>,...]\n : optional per-service arguments (see below)"],
"",
["ssl", "!", "-{no}ssl : do updates over encrypted SSL connection"],
["ssl_ca_dir", "=s", "-ssl_ca_dir <dir> : look in <dir> for certificates of trusted certificate authorities (default: auto-detect)"],
["ssl_ca_file", "=s", "-ssl_ca_file <file> : look at <file> for certificates of trusted certificate authorities (default: auto-detect)"],
["web-ssl-validate", "!","-{no}web-ssl-validate : Validate SSL certificate when retrieving IP address from web"],
["retry", "!", "-{no}retry : retry failed updates"],
["force", "!", "-{no}force : force an update even if the update may be unnecessary"],
["timeout", "=i", "-timeout <max> : when fetching a URL, wait at most <max> seconds for a response"],
Expand Down Expand Up @@ -2177,15 +2169,13 @@ sub geturl {
my @header_lines = ();

## canonify proxy and url
$force_ssl = 1 if ($url =~ /^https:/);
$use_ssl = 1 if ($url =~ /^https:/);
$proxy =~ s%^https?://%%i if defined($proxy);
$url =~ s%^https?://%%i;
$server = $url;
$server =~ s%[?/].*%%;
$url =~ s%^[^?/]*/?%%;

$use_ssl = 1 if ($force_ssl || ($globals{'ssl'} && !($params{ignore_ssl_option} // 0)));

$protocol = ($use_ssl ? "https" : "http");

debug("proxy = %s", $proxy // '<undefined>');
Expand All @@ -2201,9 +2191,6 @@ sub geturl {
} else {
push(@curlopt, "silent");
push(@curlopt, "include"); ## Include HTTP response for compatibility
push(@curlopt, "insecure") if ($use_ssl && !($params{ssl_validate} // 1));
push(@curlopt, "cacert=\"".escape_curl_param(opt('ssl_ca_file')).'"') if defined(opt('ssl_ca_file'));
push(@curlopt, "capath=\"".escape_curl_param(opt('ssl_ca_dir')).'"') if defined(opt('ssl_ca_dir'));
push(@curlopt, "ipv4") if ($ipversion == 4);
push(@curlopt, "ipv6") if ($ipversion == 6);
push(@curlopt, "user-agent=\"".escape_curl_param("${program}/${version}").'"');
Expand Down Expand Up @@ -2292,7 +2279,6 @@ sub get_ip {
$reply = geturl(
proxy => opt('proxy', $h),
url => $url,
ssl_validate => opt('web-ssl-validate', $h),
) // '';
}

Expand Down Expand Up @@ -2668,7 +2654,6 @@ sub get_ipv4 {
$reply = geturl( proxy => opt('proxy', $h),
url => $url,
ipversion => 4, # when using a URL to find IPv4 address we should force use of IPv4
ssl_validate => opt('ssl-validate', $h),
) // '';
}

Expand Down Expand Up @@ -2768,7 +2753,6 @@ sub get_ipv6 {
proxy => opt('proxy'),
url => $url,
ipversion => 6, # when using a URL to find IPv6 address we should force use of IPv6
ssl_validate => opt('ssl-validate', $h),
) // '';
}

Expand Down Expand Up @@ -3912,9 +3896,7 @@ sub nic_domeneshop_update {
verbose("UPDATE:", "Updating %s", $h);

# Set the URL that we're going to to update
my $url;
$url = $globals{'ssl'} ? "https://" : "http://";
$url .= "$config{$h}{'server'}$endpointPath?hostname=$h&myip=$ip";
my $url = "https://$config{$h}{'server'}$endpointPath?hostname=$h&myip=$ip";

# Try to get URL
my $reply = geturl(
Expand Down Expand Up @@ -6336,8 +6318,7 @@ sub nic_dnsmadeeasy_update {
verbose("UPDATE:", "Updating %s", $h);

# Set the URL that we're going to to update
my $url;
$url = $globals{'ssl'} ? "https://" : "http://";
my $url = "https://";
$url .= $config{$h}{'server'} . $config{$h}{'script'};
$url .= "?username=$config{$h}{'login'}";
$url .= "&password=$config{$h}{'password'}";
Expand Down

0 comments on commit 88197fd

Please sign in to comment.