Redmine API via SSL

[wsuff]

On the install I'm working on we just switched over to SSL for security reasons but unfortunately it appears this library assumes HTTP so all my logic against the redmine api no longer works. I'd assume it would be mostly changes to the client.php usage of CURL.

https://gist.github.com/159552ef7d45a1553aa5

diff --git a/lib/Redmine/Client.php b/lib/Redmine/Client.php
index 6fad9b9..4082d7c 100644
--- a/lib/Redmine/Client.php
+++ b/lib/Redmine/Client.php
@@ -172,10 +172,11 @@ class Client
             curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
         }
         curl_setopt($curl, CURLOPT_URL, $this->url.$path);
-        curl_setopt($curl, CURLOPT_PORT , 80);
+        curl_setopt($curl, CURLOPT_PORT , 443);
         curl_setopt($curl, CURLOPT_VERBOSE, 0);
         curl_setopt($curl, CURLOPT_HEADER, 0);
         curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
+        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);

         $tmp = parse_url($path);
         if ('xml' === substr($tmp['path'], -3)) {

was enough to satisfy my immediate need.

Better solution as I see it is below:

1. Check beginning of URL for http/ https
2. Check URL for : portnum
3. Add an additional function how how curl should treat SSL ignore invalid cert etc.

In this case it's selfsigned so it can't be verified.

[kbsali]

1. Check beginning of URL for http/ https

• done
  2) Check URL for : portnum
• done
  3) Add an additional function how how curl should treat SSL ignore invalid cert etc.
• todo. I'm not very familiar with SSL certificates to be honnest. Is it OK to always have CURLOPT_SSL_VERIFYPEER set to false?

Anyway, please check out the latest commit and let me know if it solves your connection issue.

Thanks.

[wsuff]

Diff doesn't look bad. Not sure if I'd write the logic in the same way but after reading thru the diff that would appear to get the job done..

http://curl.haxx.se/docs/sslcerts.html explains the curl handling of SSL in more detail. I didn't know much about it until I had to sort out this issue myself.

Personally I'd make it so people can enable SSL cert verification since it many cases that might be worth doing. In my case the box with the PHP code on it and the box with Redmine are one in the same so SSL brings little help there but if it had to travel over the WAN and the server had a valid cert I see no reason not to verify it so you can prove traffic to server wasn't redirected elsewhere.

In this case I'd say assume self signed since many users will probably self sign or not realize how curl goes about this. Perhaps Overload the new client to take an option like $SSLCERTVERIFY and assume FALSE. That way people can choose to verify the cert without any code modifications to the library.

Going to be a few days I think to get back to this. Code using it is in Production today so will have to test this on my own time. If I can I'll see if I can contrib a patch for the SSL cert options. That's the least I can do.

[wsuff]

Rolled this change into production and it worked nicely.

[kbsali]

I've add 2 new functions to allow more flexibility :

• setPort
• setCheckSslCertificate

Still by default, the port number is guessed and the ssl certificate NOT checked.