Hey all,
An odd problem has cropped up that I think can be solved at the PHP
level. Basically, on Ubuntu (and other distributions), using ssl stream
context with verify_peer = true could potentially fail. This is due to
the fact that OpenSSL, seemingly, only has a compile-time value for
CApath (that generally can't be changed to my knowledge), does not
respond to any env. variables and does not take any system specific
paths into consideration (with the exception of via
SSL_CTX_load_verify_locations).
In short, what you get is that a script like this:
https://gist.github.com/3776515
will fail for streams, but pass for cURL. (The reason cURL passes is
they sub in default CApaths dependent on the system you're on.)
What I propose is the addition of php.ini settings for a default capath
that php can use when it is not supplied as an option to the ssl stream
context:
;openssl.capath = '/etc/ssl/cert'
Additionally, I would suggest that if this value is not present in a
php.ini, we (like curl) stub in a path (default value) at compile time
that matches the target system as best we can. I've found a list here:
http://gagravarr.org/writing/openssl-certs/others.shtml
The goal is to be able to influence the capath globally so that all
streams can take advantage of it when OpenSSL is acting goofy (which is
default on ubuntu), and when the user has not provided one via he ssl
steam context option 'capath'.
Basically, I want openssl/php stream ssl to work as well as cURL does.
Hopefully I've explained this clearly enough, thoughts?
-ralph
Hi Ralph,
Btw, I added custom capath ini setting for curl already. It allows you to
set it and use updated cert db as provided on curl site:
http://www.php.net/manual/en/curl.configuration.php#ini.curl.cainfo
Something similar could be possible for openssl. Can you open a feature
request on bugs.pop.net and assign to me pls?
Cheers,
Hey all,
An odd problem has cropped up that I think can be solved at the PHP level.
Basically, on Ubuntu (and other distributions), using ssl stream context
with verify_peer = true could potentially fail. This is due to the fact
that OpenSSL, seemingly, only has a compile-time value for CApath (that
generally can't be changed to my knowledge), does not respond to any env.
variables and does not take any system specific paths into consideration
(with the exception of via SSL_CTX_load_verify_locations)**.In short, what you get is that a script like this:
https://gist.github.com/**3776515 https://gist.github.com/3776515
will fail for streams, but pass for cURL. (The reason cURL passes is they
sub in default CApaths dependent on the system you're on.)What I propose is the addition of php.ini settings for a default capath
that php can use when it is not supplied as an option to the ssl stream
context:;openssl.capath = '/etc/ssl/cert'
Additionally, I would suggest that if this value is not present in a
php.ini, we (like curl) stub in a path (default value) at compile time that
matches the target system as best we can. I've found a list here:http://gagravarr.org/writing/**openssl-certs/others.shtmlhttp://gagravarr.org/writing/openssl-certs/others.shtml
The goal is to be able to influence the capath globally so that all
streams can take advantage of it when OpenSSL is acting goofy (which is
default on ubuntu), and when the user has not provided one via he ssl steam
context option 'capath'.Basically, I want openssl/php stream ssl to work as well as cURL does.
Hopefully I've explained this clearly enough, thoughts?
-ralph