Hey all,
An odd problem has cropped up that I think can be solved at the PHP
level. Basically, on Ubuntu (and other distributions), using ssl stream
context with verify_peer = true could potentially fail. This is due to
the fact that OpenSSL, seemingly, only has a compile-time value for
CApath (that generally can't be changed to my knowledge), does not
respond to any env. variables and does not take any system specific
paths into consideration (with the exception of via
SSL_CTX_load_verify_locations).
In short, what you get is that a script like this:
https://gist.github.com/3776515
will fail for streams, but pass for cURL. (The reason cURL passes is
they sub in default CApaths dependent on the system you're on.)
What I propose is the addition of php.ini settings for a default capath
that php can use when it is not supplied as an option to the ssl stream
context:
;openssl.capath = '/etc/ssl/cert'
Additionally, I would suggest that if this value is not present in a
php.ini, we (like curl) stub in a path (default value) at compile time
that matches the target system as best we can. I've found a list here:
http://gagravarr.org/writing/openssl-certs/others.shtml
The goal is to be able to influence the capath globally so that all
streams can take advantage of it when OpenSSL is acting goofy (which is
default on ubuntu), and when the user has not provided one via he ssl
steam context option 'capath'.
Basically, I want openssl/php stream ssl to work as well as cURL does.
Hopefully I've explained this clearly enough, thoughts?
-ralph
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
