Edit report at https://bugs.php.net/bug.php?id=65154&edit=1
ID: 65154 Updated by: [email protected] Reported by: bholbrook at bomgar dot com Summary: setup_verify implicitly adds default CA paths Status: Open Type: Bug Package: OpenSSL related Operating System: all PHP Version: 5.5.0 Block user comment: N Private report: N New Comment: Feel free to attach your patch to the report. Thanks. Previous Comments: ------------------------------------------------------------------------ [2013-06-27 22:20:05] bholbrook at bomgar dot com Description: ------------ In openssl.c, the static setup_verify() function is designed to take a ZVAL array of directory and file paths, and return an X509_STORE* that contains the paths provided as trusted CA stores. However, setup_verify() has a strange quirk, in that it requires there to always be at least one regular file and at least one directory in X509_STORE. If the caller only specifies one or more directories and no regular files, setup_verify() will implicitly add OpenSSL's default CA file. Conversely, if the caller only specifies one or more regular files and no directories, setup_verify() will implicitly add OpenSSL's default CA hash dir. Why? This behavior is both unnecessary and undesirable, but difficult to workaround. I am calling setup_verify() with an array that contains a single directory of "trusted" CA certs for verification, but PHP is always implicitly including the default list of CA certs to the X509_STORE. In order to prevent this from happening, I also need to specify a dummy regular file to setup_verify(). BUT, that's not all! The dummy file cannot simply be /dev/null or some other empty file, it must actually parse as a valid PEM certificate in order for setup_verify() to consider the "file" requirement satisfied. My expectation is that if I pass a single file or single hash_dir to this function, that is the *only* source that will be built into X509_STORE. If _any_ valid input is provided to this function, there should be _no_ implicit behavior. Please, rather than maintaining separate nfiles and ndirs counters, use a single "ntargets" counter that increments for both directory and valid file arguments. Then, if after parsing all array member arguments, if ntargets is still 0, feel free to add BOTH OpenSSL's default CA file and CA hash_dir, or whatever you feel is the most appropriate implicit behavior of this function. I have patched my PHP this way and am running in production. I can provide the simple patch if necessary. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=65154&edit=1
