diff --git a/src/curlEngine.d b/src/curlEngine.d index 8a437a17..d1150c29 100644 --- a/src/curlEngine.d +++ b/src/curlEngine.d @@ -540,46 +540,6 @@ class CurlEngine { // Return free memory to the OS GC.minimize(); } - - // Disable SSL certificate peer verification for libcurl operations. - // - // This function disables the verification of the SSL peer's certificate - // by setting CURLOPT_SSL_VERIFYPEER to 0. This means that libcurl will - // accept any certificate presented by the server, regardless of whether - // it is signed by a trusted certificate authority. - // - // ------------------------------------------------------------------------------------- - // WARNING: Disabling SSL peer verification introduces significant security risks: - // ------------------------------------------------------------------------------------- - // - Man-in-the-Middle (MITM) attacks become trivially possible. - // - Malicious servers can impersonate trusted endpoints. - // - Confidential data (authentication tokens, file contents) can be intercepted. - // - Violates industry security standards and regulatory compliance requirements. - // - Should never be used in production environments or on untrusted networks. - // - // This option should only be enabled for internal testing, debugging self-signed - // certificates, or explicitly controlled environments with known risks. - // - // See also: - // https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html - void setDisableSSLVerifyPeer() { - // Emit a runtime warning if debug logging is enabled - if (debugLogging) { - addLogEntry("WARNING: SSL peer verification has been DISABLED!", ["debug"]); - addLogEntry(" This allows invalid or self-signed certificates to be accepted.", ["debug"]); - addLogEntry(" Use ONLY for testing. This severely weakens HTTPS security.", ["debug"]); - } - - // Disable SSL certificate verification (DANGEROUS) - http.handle.set(CurlOption.ssl_verifypeer, 0); - } - - // Enable SSL Certificate Verification - void setEnableSSLVerifyPeer() { - // Enable SSL certificate verification - addLogEntry("Enabling SSL peer verification"); - http.handle.set(CurlOption.ssl_verifypeer, 1); - } } // Methods to control obtaining and releasing a CurlEngine instance from the curlEnginePool diff --git a/src/onedrive.d b/src/onedrive.d index 17343e6c..a5b956f9 100644 --- a/src/onedrive.d +++ b/src/onedrive.d @@ -1555,7 +1555,6 @@ class OneDriveApi { SysTime retryTime; bool retrySuccess = false; bool transientError = false; - bool sslVerifyPeerDisabled = false; while (!retrySuccess) { // Reset thisBackOffInterval @@ -1687,9 +1686,8 @@ class OneDriveApi { // https://stackoverflow.com/questions/45829588/brew-install-fails-curl77-error-setting-certificate-verify // https://forum.dlang.org/post/vwvkbubufexgeuaxhqfl@forum.dlang.org - string sslCertReadErrorMessage = "System SSL CA certificates are missing or unreadable by libcurl – please ensure the correct CA bundle is installed and is accessible."; - addLogEntry("ERROR: " ~ sslCertReadErrorMessage); - throw new OneDriveError(sslCertReadErrorMessage); + addLogEntry("Problem with reading the local SSL CA cert via libcurl - please repair your system SSL CA Certificates"); + throw new OneDriveError("OneDrive operation encountered an issue with libcurl reading the local SSL CA Certificates"); } else { // Was this a curl initialization error? if (canFind(errorMessage, "Failed initialization on handle")) { @@ -1811,30 +1809,6 @@ class OneDriveApi { // display the error message displayFileSystemErrorMessage(exception.msg, callingFunction); throw new OneDriveException(0, "There was a file system error during OneDrive request: " ~ exception.msg, response); - - // A OneDriveError was thrown - } catch (OneDriveError exception) { - // Disk space error or SSL error caused a OneDriveError to be thrown - - /** - - DO NOT UNCOMMENT THIS CODE UNLESS TESTING FOR THIS ISSUE: System SSL CA certificates are missing or unreadable by libcurl - - // Disk space error or SSL error - if (getAvailableDiskSpace(".") == 0) { - // Must exit - forceExit(); - } else { - // Catch the SSL error - addLogEntry("WARNING: Disabling SSL peer verification due to libcurl failing to access the system CA certificate bundle (CAfile missing, unreadable, or misconfigured)."); - sslVerifyPeerDisabled = true; - curlEngine.setDisableSSLVerifyPeer(); - } - - **/ - - // Must exit - forceExit(); } // Increment re-try counter @@ -1887,11 +1861,6 @@ class OneDriveApi { } } - // Reset SSL Peer Validation if it was disabled - if (sslVerifyPeerDisabled) { - curlEngine.setEnableSSLVerifyPeer(); - } - // Return the result return result; }