Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63237 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 72489 invoked from network); 25 Sep 2012 16:56:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Sep 2012 16:56:44 -0000 Authentication-Results: pb1.pair.com smtp.mail=ralph@ralphschindler.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=ralph@ralphschindler.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain ralphschindler.com from 209.85.219.42 cause and error) X-PHP-List-Original-Sender: ralph@ralphschindler.com X-Host-Fingerprint: 209.85.219.42 mail-oa0-f42.google.com Received: from [209.85.219.42] ([209.85.219.42:35630] helo=mail-oa0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DB/E0-00446-A42E1605 for ; Tue, 25 Sep 2012 12:56:43 -0400 Received: by oagj1 with SMTP id j1so3082030oag.29 for ; Tue, 25 Sep 2012 09:56:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding:x-gm-message-state; bh=qtx/gKumwIewkXEHUN0g+YjPDkK53gSg1FNGWboUgSI=; b=eO4l/ff3Es/t5yekF2VZt25XR1CBgDOn0XSWzG1dMT2ryTwg2sLuer+LPdr+BxVqdc YC4OwCbwQhJSAO0s6fetE4XoKCGrmGTclpsW0caA2fvRnNONR2vCKK+kIt9UP88VP3KL y9Tk1gN3bTfBC8DcKG8N9biFaeWVTfP09pumnHuIGSB4+s69RPSgLXRAjC3I/WmCse1t pmZRqmJagqLllHNbhGRRl4ALDuqGUoDT8P5NBTJlPeCvm3cDnUzM5IiYvLC4z0Gqd5Lr TlnJOlfMEXImUq1W78h8TCp89Y/ToDY6S4rjq66i7cSfY/Hwe71H6RHCt1TjeXUegBI4 dAPQ== Received: by 10.60.6.167 with SMTP id c7mr12725580oea.88.1348592199691; Tue, 25 Sep 2012 09:56:39 -0700 (PDT) Received: from Ralphs-Mac-Pro.local (ip174-73-14-247.no.no.cox.net. [174.73.14.247]) by mx.google.com with ESMTPS id y10sm515936oed.12.2012.09.25.09.56.38 (version=SSLv3 cipher=OTHER); Tue, 25 Sep 2012 09:56:39 -0700 (PDT) Message-ID: <5061E246.4080508@ralphschindler.com> Date: Tue, 25 Sep 2012 11:56:38 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: internals Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQmDgR8t5wVd0bVpXlzh0v4jj2AFbwrzLGigwIg+zIV24/70wgqTSRXodwnIYg+bRTZFSetz Subject: OpenSSL Ini Options From: ralph@ralphschindler.com (Ralph Schindler) Hey all, An odd problem has cropped up that I think can be solved at the PHP level. Basically, on Ubuntu (and other distributions), using ssl stream context with verify_peer = true could potentially fail. This is due to the fact that OpenSSL, seemingly, only has a compile-time value for CApath (that generally can't be changed to my knowledge), does not respond to any env. variables and does not take any system specific paths into consideration (with the exception of via SSL_CTX_load_verify_locations). In short, what you get is that a script like this: https://gist.github.com/3776515 will fail for streams, but pass for cURL. (The reason cURL passes is they sub in default CApaths dependent on the system you're on.) What I propose is the addition of php.ini settings for a default capath that php can use when it is not supplied as an option to the ssl stream context: ;openssl.capath = '/etc/ssl/cert' Additionally, I would suggest that if this value is not present in a php.ini, we (like curl) stub in a path (default value) at compile time that matches the target system as best we can. I've found a list here: http://gagravarr.org/writing/openssl-certs/others.shtml The goal is to be able to influence the capath globally so that all streams can take advantage of it when OpenSSL is acting goofy (which is default on ubuntu), and when the user has not provided one via he ssl steam context option 'capath'. Basically, I want openssl/php stream ssl to work as well as cURL does. Hopefully I've explained this clearly enough, thoughts? -ralph