In order for curl to verify a peer, the curl library must know where the trusted certificate authority certificates are.

This is usually done by either putting all the trusted certs in one file or a directory of them which is indexed using an openssl utility. ( at least this it true on most Linux implementations )

Reading one php reference it is possible to specify the CURLOP_CAINFO ( all trusted certificate authority certs in one file ) by setting some environment variable with the full path to the file containing the certs. I suppose this could be done by setting that in the apache conf, but I prefer the path method, and programatic control.

The enclosed patch adds two variables, and two functions to set the variables in the xmlrpc client class. The patch also hopefully correctly implements them where needed.

I have successfully tested these on a Linux dstribution.

Regards,
Jim

diff -uNr xmlrpc.orig/debugger/action.php xmlrpc/debugger/action.php
--- xmlrpc.orig/debugger/action.php     2006-01-22 16:59:52.000000000 -0700
+++ xmlrpc/debugger/action.php  2006-04-03 13:11:07.673994700 -0700
@@ -57,6 +57,17 @@
     if ($protocol == 2)
     {
       $client->setSSLVerifyPeer($verifypeer);
+         if($verifypeer)
+         {
+               if($cainfo)
+               {
+                       $client->setCAInfo($cainfo);
+               }
+               if($capath)
+               {
+                       $client->setCAPath($capath);
+               }
+         }
       $client->setSSLVerifyHost($verifyhost);
       $httpprotocol = 'https';
     }
diff -uNr xmlrpc.orig/debugger/common.php xmlrpc/debugger/common.php
--- xmlrpc.orig/debugger/common.php     2006-01-22 16:59:52.000000000 -0700
+++ xmlrpc/debugger/common.php  2006-04-03 12:48:37.627414700 -0700
@@ -63,6 +63,9 @@
       $responsecompression = $_GET['responsecompression'];
 
     $clientcookies = isset($_GET['clientcookies']) ? $_GET['clientcookies'] : 
'';
+       
+    $cainfo = isset($_GET['cainfo']) ? $_GET['cainfo'] : '';
+    $capath = isset($_GET['capath']) ? $_GET['capath'] : '';
   }
   else
   {
@@ -82,6 +85,8 @@
     $requestcompression = 0;
     $responsecompression = 0;
        $clientcookies = '';
+       $cainfo = '';
+       $capath = '';
   }
 
   // check input for known XMLRPC attacks against this or other libs
diff -uNr xmlrpc.orig/debugger/controller.php xmlrpc/debugger/controller.php
--- xmlrpc.orig/debugger/controller.php 2006-01-22 16:59:52.000000000 -0700
+++ xmlrpc/debugger/controller.php      2006-04-03 12:55:54.282028900 -0700
@@ -77,11 +77,15 @@
     {
       document.frmaction.verifypeer.disabled = true;
       document.frmaction.verifyhost.disabled = true;
+      document.frmaction.cainfo.disabled = true;
+      document.frmaction.capath.disabled = true;
     }
     else
     {
       document.frmaction.verifypeer.disabled = false;
       document.frmaction.verifyhost.disabled = false;
+      document.frmaction.cainfo.disabled = false;
+      document.frmaction.capath.disabled = false;
     }
   }
 //-->
@@ -133,6 +137,12 @@
 <td></td></td><td>
 </tr>
 <tr>
+<td class="labelcell">&nbsp;</td>
+<td class="labelcell">CAInfo:</td><td><input type="text" size="30" 
name="cainfo" value="<?php echo htmlspecialchars($cainfo); ?>" /></td>
+<td class="labelcell">CAPath:</td><td><input type="text" size="30" 
name="capath" value="<?php echo htmlspecialchars($capath); ?>" /></td>
+<td></td><td></td>
+</tr>
+<tr>
 <td class="labelcell">PROXY:</td>
 <td class="labelcell">Server:</td><td><input type="text" name="proxy" 
value="<?php echo htmlspecialchars($proxy); ?>" /></td>
 <td class="labelcell">Proxy user:</td><td><input type="text" name="proxyuser" 
value="<?php echo htmlspecialchars($proxyuser); ?>" /></td>
diff -uNr xmlrpc.orig/lib/xmlrpc.inc xmlrpc/lib/xmlrpc.inc
--- xmlrpc.orig/lib/xmlrpc.inc  2006-01-22 16:59:54.000000000 -0700
+++ xmlrpc/lib/xmlrpc.inc       2006-04-03 10:47:31.686286300 -0700
@@ -728,6 +728,8 @@
                var $proxy_user = '';
                var $proxy_pass = '';
                var $cookies=array();
+               var $cainfo='';
+               var $capath='';
                /**
                * List of http compression methods accepted by the client for 
responses.
                * NB: PHP supports deflate, gzip compressions out of the box if 
compiled w. zlib
@@ -899,6 +901,25 @@
                {
                        $this->verifyhost = $i;
                }
+               
+               /*
+               * @param string $cafile The name of a file holding one or more 
certificates to verify the peer with.
+               * @access public
+               */
+               function setCAInfo($cai)
+               {
+                       $this->cainfo = $cai;
+               }
+               
+               /*
+               * @param string $capath  A directory that holds multiple CA 
certificates.
+               * @access public
+               */
+               function setCAPath($cap)
+               {
+                       $this->capath = $cap;
+               }
+               
 
                /**
                * Set proxy info
@@ -1416,6 +1437,18 @@
                                }
                                // whether to verify remote host's cert
                                curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 
$this->verifypeer);
+                               
+                               if($this->verifypeer)
+                               {
+                                       if($this->cainfo)
+                                       {
+                                               curl_setopt($curl, 
CURLOPT_CAINFO, $this->cainfo);
+                                       }
+                                       if($this->capath)
+                                       {
+                                               curl_setopt($curl, 
CURLOPT_CAPATH, $this->capath);
+                                       }
+                               }
                                // whether to verify cert's common name (CN); 0 
for no, 1 to verify that it exists, and 2 to verify that it matches the 
hostname used
                                curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 
$this->verifyhost);
                        }
_______________________________________________
phpxmlrpc mailing list
phpxmlrpc@lists.usefulinc.com
http://lists.usefulinc.com/cgi-bin/mailman/listinfo/phpxmlrpc

Reply via email to