From 13369804a0b8d7a24ff6a6e3655a47ebe7491010 Mon Sep 17 00:00:00 2001 From: Richard Hansen Date: Sun, 14 Jul 2024 18:49:06 -0400 Subject: [PATCH 1/3] Improve documentation for `--ssl` option Also move it to the top of the sample config file due to its importance. --- ddclient.conf.in | 8 ++++++-- ddclient.in | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ddclient.conf.in b/ddclient.conf.in index 22b5d0e..65a9650 100644 --- a/ddclient.conf.in +++ b/ddclient.conf.in @@ -16,13 +16,17 @@ ## are mentioned here. ## ###################################################################### + +## Use encryption (TLS) when the scheme (either "http://" or "https://") is +## missing from a URL. Defaults to "no" for compatibility reasons, but you are +## strongly encouraged to set this to "yes". +ssl=yes + daemon=300 # check every 300 seconds syslog=yes # log update msgs to syslog mail=root # mail all msgs to root mail-failure=root # mail failed update msgs to root pid=@runstatedir@/ddclient.pid # record PID in file. -ssl=yes # use ssl-support. Works with - # ssl-library # postscript=script # run script after updating. The # new IP is added as argument. # diff --git a/ddclient.in b/ddclient.in index 111516a..82ace95 100755 --- a/ddclient.in +++ b/ddclient.in @@ -1259,7 +1259,7 @@ my @opt = ( "", ["options", "=s", "--options==[,=,...]\n : optional per-service arguments (see below)"], "", - ["ssl", "!", "--{no}ssl : do updates over encrypted SSL connection"], + ["ssl", "!", '--{no}ssl : use encryption (TLS) when the scheme (either "http://" or "https://") is missing from a URL'], ["ssl_ca_dir", "=s", "--ssl_ca_dir= : look in for certificates of trusted certificate authorities (default: auto-detect)"], ["ssl_ca_file", "=s", "--ssl_ca_file= : look at for certificates of trusted certificate authorities (default: auto-detect)"], ["fw-ssl-validate", "!", "--{no}fw-ssl-validate : Validate SSL certificate when retrieving IP address from firewall"], From f0de73e8c468b18015a7807203e2e3351d159a83 Mon Sep 17 00:00:00 2001 From: Richard Hansen Date: Sun, 14 Jul 2024 18:36:35 -0400 Subject: [PATCH 2/3] Enable `--ssl` by default In this day and age there's no good reason to prefer plain HTTP over HTTPS, and security is more important than potential compatibility concerns. --- ChangeLog.md | 2 ++ ddclient.conf.in | 5 ++--- ddclient.in | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index d60effc..36db792 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -7,6 +7,8 @@ repository history](https://github.com/ddclient/ddclient/commits/master). ### Breaking changes + * The `--ssl` option is now enabled by default. + [#705](https://github.com/ddclient/ddclient/pull/705) * Unencrypted (plain) HTTP is now used instead of encrypted (TLS) HTTP if the URL uses `http://` instead of `https://`, even if the `--ssl` option is enabled. [#608](https://github.com/ddclient/ddclient/pull/608) diff --git a/ddclient.conf.in b/ddclient.conf.in index 65a9650..19df639 100644 --- a/ddclient.conf.in +++ b/ddclient.conf.in @@ -18,9 +18,8 @@ ###################################################################### ## Use encryption (TLS) when the scheme (either "http://" or "https://") is -## missing from a URL. Defaults to "no" for compatibility reasons, but you are -## strongly encouraged to set this to "yes". -ssl=yes +## missing from a URL. Defaults to "yes". +#ssl=yes daemon=300 # check every 300 seconds syslog=yes # log update msgs to syslog diff --git a/ddclient.in b/ddclient.in index 82ace95..7c06024 100755 --- a/ddclient.in +++ b/ddclient.in @@ -604,7 +604,7 @@ our %variables = ( 'timeout' => setv(T_DELAY, 0, 0, interval('120s'), interval('120s')), 'retry' => setv(T_BOOL, 0, 0, 0, undef), 'force' => setv(T_BOOL, 0, 0, 0, undef), - 'ssl' => setv(T_BOOL, 0, 0, 0, undef), + 'ssl' => setv(T_BOOL, 0, 0, 1, undef), 'syslog' => setv(T_BOOL, 0, 0, 0, undef), 'facility' => setv(T_STRING,0, 0, 'daemon', undef), 'priority' => setv(T_STRING,0, 0, 'notice', undef), From c6581b03f2fcc7841b74dc9d5a126c4177dfc2ed Mon Sep 17 00:00:00 2001 From: Richard Hansen Date: Sun, 14 Jul 2024 19:07:55 -0400 Subject: [PATCH 3/3] Bump version to v4.0.0~alpha The list of breaking changes has become significant enough to warrant bumping the major version number. --- ChangeLog.md | 2 +- README.md | 4 ++-- ddclient.in | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 36db792..ec8bc1a 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -3,7 +3,7 @@ This document describes notable changes. For details, see the [source code repository history](https://github.com/ddclient/ddclient/commits/master). -## v3.12.0~alpha (unreleased work-in-progress) +## v4.0.0~alpha (unreleased work-in-progress) ### Breaking changes diff --git a/README.md b/README.md index b6d60a8..2c989aa 100644 --- a/README.md +++ b/README.md @@ -136,11 +136,11 @@ If a fix is committed but not yet part of any tagged release, the notes here wil The `ssl` parameter forces all connections to use HTTPS. While technically working as expected, this behavior keeps coming up as a pain point when using HTTP-only IP querying sites such as http://checkip.dyndns.org. Starting with -v3.12.0, the behavior is changed to respect `http://` in a URL. A separate +v4.0.0, the behavior is changed to respect `http://` in a URL. A separate parameter to disallow all HTTP connections or warn about them may be added later. -**Fix**: v3.12.0 uses HTTP to connect to URLs starting with `http://`. See +**Fix**: v4.0.0 uses HTTP to connect to URLs starting with `http://`. See [here](https://github.com/ddclient/ddclient/pull/608) for more info. **Workaround**: Disable the SSL parameter diff --git a/ddclient.in b/ddclient.in index 7c06024..2080379 100755 --- a/ddclient.in +++ b/ddclient.in @@ -63,7 +63,7 @@ use Sys::Hostname; # # For consistency and to match user expectations, the release part of the version is always three # components: MAJOR.MINOR.PATCH. -use version 0.77; our $VERSION = version->declare('v3.12.0.0_0'); +use version 0.77; our $VERSION = version->declare('v4.0.0.0_0'); sub parse_version { my ($v) = @_;