From feb3cd8478e9edf835621bcb2299bb4e6c714ef9 Mon Sep 17 00:00:00 2001
From: Artem Kamshilin <artem.kamshilin@whmcs.com>
Date: Fri, 28 Sep 2018 17:05:30 -0500
Subject: [PATCH] Enforce SSL host validation

Without CURLOPT_SSL_VERIFYHOST option, a legacy version of cURL may fail to ensure that the SSL certificate presented by remote host matches the name of the host cURL is connecting to. This may allow forged certificates to be used during transmission.
---
 PHP/BluePay.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/PHP/BluePay.php b/PHP/BluePay.php
index 44b71a4..5e8d8c1 100755
--- a/PHP/BluePay.php
+++ b/PHP/BluePay.php
@@ -920,6 +920,7 @@ public function process() {
             curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:')); // Required for query strings greater than 1024 characters.
             curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
             curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1); // Turns on verification of the SSL certificate.
+            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); // Validate SSL host match
             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // If not set, curl prints output to the browser
             curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post));
             if ($this->postURL == "https://secure.bluepay.com/interfaces/bp10emu") {