Skip to content

sysutils/nextcloud-backup: add option to disable SSL verification#5443

Open
enoch85 wants to merge 1 commit into
opnsense:masterfrom
enoch85:nextcloud-backup-verify-ssl
Open

sysutils/nextcloud-backup: add option to disable SSL verification#5443
enoch85 wants to merge 1 commit into
opnsense:masterfrom
enoch85:nextcloud-backup-verify-ssl

Conversation

@enoch85
Copy link
Copy Markdown

@enoch85 enoch85 commented May 14, 2026
edited
Loading

Adds an optional "Verify SSL certificate" checkbox to the Nextcloud backup settings.

  • Defaults to enabled; existing behavior is unchanged on upgrade.
  • When unchecked, CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are disabled in
    curl_request_nothrow(), so backups work against Nextcloud instances behind self-signed
    or otherwise untrusted certificates.
  • Without this, users have to hand-edit Nextcloud.php after every plugin update.

Relates to #3405 (accept self-signed certificates) and #4422 (custom CA roots).

Changes:

  • NextcloudSettings.xml: new verify_ssl BooleanField, default 1; model version 1.0.2 -> 1.0.3
  • Nextcloud.php: UI field in getConfigurationFields(), curl options in curl_request_nothrow()
  • Makefile: plugin version 1.2 -> 1.3
  • pkg-descr: changelog entry

@enoch85
sysutils/nextcloud-backup: add option to disable SSL verification
4443de2 
Adds an optional "Verify SSL certificate" checkbox to the Nextcloud
backup settings, defaulting to enabled so existing behavior is
preserved. When unchecked, CURLOPT_SSL_VERIFYPEER and
CURLOPT_SSL_VERIFYHOST are disabled, allowing the plugin to back up
to Nextcloud instances behind self-signed or otherwise untrusted
certificates without hand-editing Nextcloud.php after every update.

Relates to opnsense#3405 and opnsense#4422.
@enoch85 enoch85 force-pushed the nextcloud-backup-verify-ssl branch from f803ce1 to 4443de2 Compare May 14, 2026 10:40
@fichtner
Copy link
Copy Markdown
Member

fichtner commented May 14, 2026

We tend to reject these because they degrade security for no reason. It’s easy enough to add the CA or self-signed cert to system: trust: authorities.

@enoch85
Copy link
Copy Markdown
Author

enoch85 commented May 14, 2026

We tend to reject these because they degrade security for no reason. It’s easy enough to add the CA or self-signed cert to system: trust: authorities.

Yeah I get that. It's really just for convenience, and IMHO it's a simple checkbox with a QoL improvement for your users (including me).

The default is on, so no real security implications if you don't intentionally tick it.

In my case I run let's encrypt and wouldn't that mean adding to authorities every three months?

@fichtner
Copy link
Copy Markdown
Member

fichtner commented May 14, 2026

Let’s encrypt roots should be stable for years. A bit strange they are not in the default store, but they should be readily available for download on their end.

@enoch85
Copy link
Copy Markdown
Author

enoch85 commented May 14, 2026

Let’s encrypt roots should be stable for years. A bit strange they are not in the default store, but they should be readily available for download on their end.

Ok, thanks!

Anyway, please consider it. 🙏🏼

@enoch85 enoch85 mentioned this pull request May 14, 2026
Closed
3 tasks
@Monviech
Copy link
Copy Markdown
Member

Monviech commented May 14, 2026

Please consider using plaintext if you don't want proper trust xD

@enoch85
Copy link
Copy Markdown
Author

enoch85 commented May 14, 2026

Please consider using plaintext if you don't want proper trust xD

Well, I could do it over http since it's on localhost anyway, but...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@enoch85 @fichtner @Monviech