From: bholbrook at bomgar dot com Operating system: all PHP version: 5.5.0 Package: OpenSSL related Bug Type: Bug Bug description:setup_verify implicitly adds default CA paths
Description: ------------ In openssl.c, the static setup_verify() function is designed to take a ZVAL array of directory and file paths, and return an X509_STORE* that contains the paths provided as trusted CA stores. However, setup_verify() has a strange quirk, in that it requires there to always be at least one regular file and at least one directory in X509_STORE. If the caller only specifies one or more directories and no regular files, setup_verify() will implicitly add OpenSSL's default CA file. Conversely, if the caller only specifies one or more regular files and no directories, setup_verify() will implicitly add OpenSSL's default CA hash dir. Why? This behavior is both unnecessary and undesirable, but difficult to workaround. I am calling setup_verify() with an array that contains a single directory of "trusted" CA certs for verification, but PHP is always implicitly including the default list of CA certs to the X509_STORE. In order to prevent this from happening, I also need to specify a dummy regular file to setup_verify(). BUT, that's not all! The dummy file cannot simply be /dev/null or some other empty file, it must actually parse as a valid PEM certificate in order for setup_verify() to consider the "file" requirement satisfied. My expectation is that if I pass a single file or single hash_dir to this function, that is the *only* source that will be built into X509_STORE. If _any_ valid input is provided to this function, there should be _no_ implicit behavior. Please, rather than maintaining separate nfiles and ndirs counters, use a single "ntargets" counter that increments for both directory and valid file arguments. Then, if after parsing all array member arguments, if ntargets is still 0, feel free to add BOTH OpenSSL's default CA file and CA hash_dir, or whatever you feel is the most appropriate implicit behavior of this function. I have patched my PHP this way and am running in production. I can provide the simple patch if necessary. -- Edit bug report at https://bugs.php.net/bug.php?id=65154&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=65154&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=65154&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=65154&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=65154&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=65154&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=65154&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=65154&r=needscript Try newer version: https://bugs.php.net/fix.php?id=65154&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=65154&r=support Expected behavior: https://bugs.php.net/fix.php?id=65154&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=65154&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=65154&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=65154&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65154&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=65154&r=dst IIS Stability: https://bugs.php.net/fix.php?id=65154&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=65154&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=65154&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=65154&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=65154&r=mysqlcfg
