aselect: Enable verification of SSL certificate on A-Select endpoint.origin/simplesamlphp-1.8

Without the certificate check, we leave ourselves vulnerable to
man-in-the-middle between the simpleSAMLphp installation and the
A-Select server.

Thanks to Thijs Kinkhorst for reporting this vulnerability!

git-svn-id: https://simplesamlphp.googlecode.com/svn/branches/simplesamlphp-1.8@3098 44740490-163a-0410-bde0-09ae8108e29a

2 files changed, 6 insertions, 1 deletions

diff --git a/docs/simplesamlphp-changelog.txt b/docs/simplesamlphp-changelog.txt
index f081c13..12e13e5 100644
--- a/docs/simplesamlphp-changelog.txt
+++ b/docs/simplesamlphp-changelog.txt
@@ -6,6 +6,12 @@ simpleSAMLphp changelog
 This document lists the changes between versions of simpleSAMLphp.
 See the upgrade notes for specific information about upgrading.
 
+## Version 1.8.3
+
+Released 2012-05-15.
+
+  * Fix missing SSL certificate check in `aselect` module.
+
 ## Version 1.8.2
 
 Released 2012-01-10.
diff --git a/modules/aselect/lib/Auth/Source/aselect.php b/modules/aselect/lib/Auth/Source/aselect.php
index 2cba464..ba1743b 100644
--- a/modules/aselect/lib/Auth/Source/aselect.php
+++ b/modules/aselect/lib/Auth/Source/aselect.php
@@ -66,7 +66,6 @@ class sspmod_aselect_Auth_Source_aselect extends SimpleSAML_Auth_Source {
 	// helper function for sending a non-browser request to a remote server
 	function as_call($url) {
 		$ch = curl_init();
-		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
 		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 		curl_setopt($ch, CURLOPT_URL, $url);
 		$result = curl_exec($ch);