[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)

Wed, 01 Jul 2015 01:43:13 -0700 

Brian Wolff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/222079

Change subject: Use system default location for cafile when using php fopen.
......................................................................

Use system default location for cafile when using php fopen.

If not set, php appears to just use no CA's, and just explode.

Still won't work on windows.

Only possible downside is if some future of PHP actually makes
fopen ssl wrapper sane, and this overrides a sane default behaviour.

Bug: T75203
Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
---
M includes/HttpFunctions.php
1 file changed, 23 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/79/222079/1

diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 825cd06..240fa14 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -915,12 +915,29 @@
                        $options['ssl']['CN_match'] = $this->parsedUrl['host'];
                }
 
-               if ( is_dir( $this->caInfo ) ) {
-                       $options['ssl']['capath'] = $this->caInfo;
-               } elseif ( is_file( $this->caInfo ) ) {
-                       $options['ssl']['cafile'] = $this->caInfo;
-               } elseif ( $this->caInfo ) {
-                       throw new MWException( "Invalid CA info passed: 
{$this->caInfo}" );
+               if ( $this->caInfo ) {
+                       $certLocations = array( $this->caInfo );
+               } else {
+                       // Default locations, based on
+                       // 
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+                       // PHP doesn't seem to have sane defaults, so we set 
ourselves.
+                       $certLocations = array(
+                               '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et 
al
+                               '/etc/ssl/certs',  # Debian et al
+                               '/etc/pki/tls/certs/ca-bundle.trust.crt',
+                               
'/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
+                               '/System/Library/OpenSSL', # OSX
+                       );
+               }
+
+               foreach( $certLocations as $cert ) {
+                       if ( is_dir( $cert ) ) {
+                               $options['ssl']['capath'] = $cert;
+                               break;
+                       } elseif ( is_file( $cert ) ) {
+                               $options['ssl']['cafile'] = $cert;
+                               break;
+                       }
                }
 
                $context = stream_context_create( $options );

-- 
To view, visit https://gerrit.wikimedia.org/r/222079
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Brian Wolff <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to