Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63239
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 21029 invoked from network); 26 Sep 2012 05:51:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Sep 2012 05:51:18 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.170 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.223.170 mail-ie0-f170.google.com  
Received: from [209.85.223.170] ([209.85.223.170:54972] helo=mail-ie0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F3/75-00446-4D792605 for <internals@lists.php.net>; Wed, 26 Sep 2012 01:51:17 -0400
Received: by iebc12 with SMTP id c12so594358ieb.29
        for <internals@lists.php.net>; Tue, 25 Sep 2012 22:51:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=A3QwF4b7bOfXTtmCQLZa4eOq5EZHng5imke1j21+xjI=;
        b=gsrS4C3CIBXXO76SbBwtpEQHecivupH+57bc9pJAeZdSkYeqlpqmCxsVPEbGSUX9jT
         dOA6ua2BoCY0MCSXs+YoYR7YHkp0o3EnxbEDnktK5iOKd4yKBcpK7cHGCJIKczRLjRhy
         TqL1RKvv3KX1+uYXAX8UdSYFzdeO4IKLd/rBctdtKzT2Jw5W0+6gx97lZ+jj5K9NAUXm
         SWsl7TnBGW/MaS/J5zkOoCTAkcXznrvHHZvqtZmsox4NGjCDLV+Zi8XYzsAggBkW4naC
         1Dkd1LS65Y+fwj8kzKvWFggWhCdQE2EeJ2LowZvXWhl7cattAddEXBDiGSwCDtNlZS4I
         eDhA==
MIME-Version: 1.0
Received: by 10.50.220.161 with SMTP id px1mr10312927igc.27.1348638673926;
 Tue, 25 Sep 2012 22:51:13 -0700 (PDT)
Received: by 10.64.33.143 with HTTP; Tue, 25 Sep 2012 22:51:13 -0700 (PDT)
Received: by 10.64.33.143 with HTTP; Tue, 25 Sep 2012 22:51:13 -0700 (PDT)
In-Reply-To: <5061E246.4080508@ralphschindler.com>
References: <5061E246.4080508@ralphschindler.com>
Date: Wed, 26 Sep 2012 07:51:13 +0200
Message-ID: <CAEZPtU79qq1-E_B2pW-WA5sOVmGOE1_RW_4-mwO9Mrw3TA0M5A@mail.gmail.com>
To: Ralph Schindler <ralph@ralphschindler.com>
Cc: internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=14dae9340c9316f92004ca946956
Subject: Re: [PHP-DEV] OpenSSL Ini Options
From: pierre.php@gmail.com (Pierre Joye)

--14dae9340c9316f92004ca946956
Content-Type: text/plain; charset=ISO-8859-1

Hi Ralph,

Btw, I added custom capath ini setting for curl already. It allows you to
set it and use updated cert db as provided on curl site:

http://www.php.net/manual/en/curl.configuration.php#ini.curl.cainfo

Something similar could be possible for openssl. Can you open a feature
request on bugs.pop.net and assign to me pls?

Cheers,
On Sep 25, 2012 6:56 PM, "Ralph Schindler" <ralph@ralphschindler.com> wrote:

> Hey all,
>
> An odd problem has cropped up that I think can be solved at the PHP level.
>  Basically, on Ubuntu (and other distributions), using ssl stream context
> with verify_peer = true could potentially fail.  This is due to the fact
> that OpenSSL, seemingly, only has a compile-time value for CApath (that
> generally can't be changed to my knowledge), does not respond to any env.
> variables and does not take any system specific paths into consideration
> (with the exception of via SSL_CTX_load_verify_locations)**.
>
> In short, what you get is that a script like this:
>
>   https://gist.github.com/**3776515 <https://gist.github.com/3776515>
>
> will fail for streams, but pass for cURL.  (The reason cURL passes is they
> sub in default CApaths dependent on the system you're on.)
>
> What I propose is the addition of php.ini settings for a default capath
> that php can use when it is not supplied as an option to the ssl stream
> context:
>
>   ;openssl.capath = '/etc/ssl/cert'
>
> Additionally, I would suggest that if this value is not present in a
> php.ini, we (like curl) stub in a path (default value) at compile time that
> matches the target system as best we can. I've found a list here:
>
>   http://gagravarr.org/writing/**openssl-certs/others.shtml<http://gagravarr.org/writing/openssl-certs/others.shtml>
>
> The goal is to be able to influence the capath globally so that all
> streams can take advantage of it when OpenSSL is acting goofy (which is
> default on ubuntu), and when the user has not provided one via he ssl steam
> context option 'capath'.
>
> Basically, I want openssl/php stream ssl to work as well as cURL does.
>
> Hopefully I've explained this clearly enough, thoughts?
>
> -ralph
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--14dae9340c9316f92004ca946956--