[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged. Change subject: Use system default location for cafile when using php fopen. .. Use system default location for cafile when using php fopen. Up to 5.5, PHP does not accept any certificates if cafile/capath is not set. (From 5.6 it uses the system default CA budle, which is going to be a better choice than anything we can guess.) So try to guess the location of the system default CA bundle. Won't work on windows, but that's a lost cause anyway because PHP (pre-5.6) can't handle the windows CA file format. Bug: T75203 Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 (cherry picked from commit bcc31a9a0fa77e91c4f3ad4a7f0e056d4bf5e713) --- M includes/HttpFunctions.php 1 file changed, 45 insertions(+), 7 deletions(-) Approvals: BryanDavis: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 8302124..349ace3 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -831,6 +831,50 @@ return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port']; } + /** +* Returns an array with a 'capath' or 'cafile' key that is suitable to be merged into the 'ssl' sub-array of a +* stream context options array. Uses the 'caInfo' option of the class if it is provided, otherwise uses the system +* default CA bundle if PHP supports that, or searches a few standard locations. +* @return array +* @throws DomainException +*/ + protected function getCertOptions() { + $certOptions = array(); + $certLocations = array(); + if ( $this->caInfo ) { + $certLocations = array( 'manual' => $this->caInfo ); + } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) { + // Default locations, based on + // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ + // PHP 5.5 and older doesn't have any defaults, so we try to guess ourselves. PHP 5.6+ gets the CA location + // from OpenSSL as long as it is not set manually, so we should leave capath/cafile empty there. + $certLocations = array_filter( array( + getenv( 'SSL_CERT_DIR' ), + getenv( 'SSL_CERT_PATH' ), + '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et al + '/etc/ssl/certs', # Debian et al + '/etc/pki/tls/certs/ca-bundle.trust.crt', + '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', + '/System/Library/OpenSSL', # OSX + ) ); + } + + foreach( $certLocations as $key => $cert ) { + if ( is_dir( $cert ) ) { + $certOptions['capath'] = $cert; + break; + } elseif ( is_file( $cert ) ) { + $certOptions['cafile'] = $cert; + break; + } elseif ( $key === 'manual' ) { + // fail more loudly if a cert path was manually configured and it is not valid + throw new DomainException( "Invalid CA info passed: $cert" ); + } + } + + return $certOptions; + } + public function execute() { wfProfileIn( __METHOD__ ); @@ -887,13 +931,7 @@ $options['ssl']['CN_match'] = $this->parsedUrl['host']; } - if ( is_dir( $this->caInfo ) ) { - $options['ssl']['capath'] = $this->caInfo; - } elseif ( is_file( $this->caInfo ) ) { - $options['ssl']['cafile'] = $this->caInfo; - } elseif ( $this->caInfo ) { - throw new MWException( "Invalid CA info passed: {$this->caInfo}" ); - } + $options['ssl'] += $this->getCertOptions(); $context = stream_context_create( $options ); -- To view, visit https://gerrit.wikimedia.org/r/237002 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_24 Gerrit-Owner: Gergő TiszaGerrit-Reviewer: Brian Wolff Gerrit-Reviewer: BryanDavis Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged. Change subject: Use system default location for cafile when using php fopen. .. Use system default location for cafile when using php fopen. Up to 5.5, PHP does not accept any certificates if cafile/capath is not set. (From 5.6 it uses the system default CA budle, which is going to be a better choice than anything we can guess.) So try to guess the location of the system default CA bundle. Won't work on windows, but that's a lost cause anyway because PHP (pre-5.6) can't handle the windows CA file format. Bug: T75203 Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 (cherry picked from commit bcc31a9a0fa77e91c4f3ad4a7f0e056d4bf5e713) --- M includes/HttpFunctions.php 1 file changed, 45 insertions(+), 7 deletions(-) Approvals: BryanDavis: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 1fd437e..d0602d2 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -830,6 +830,50 @@ return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port']; } + /** +* Returns an array with a 'capath' or 'cafile' key that is suitable to be merged into the 'ssl' sub-array of a +* stream context options array. Uses the 'caInfo' option of the class if it is provided, otherwise uses the system +* default CA bundle if PHP supports that, or searches a few standard locations. +* @return array +* @throws DomainException +*/ + protected function getCertOptions() { + $certOptions = array(); + $certLocations = array(); + if ( $this->caInfo ) { + $certLocations = array( 'manual' => $this->caInfo ); + } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) { + // Default locations, based on + // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ + // PHP 5.5 and older doesn't have any defaults, so we try to guess ourselves. PHP 5.6+ gets the CA location + // from OpenSSL as long as it is not set manually, so we should leave capath/cafile empty there. + $certLocations = array_filter( array( + getenv( 'SSL_CERT_DIR' ), + getenv( 'SSL_CERT_PATH' ), + '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et al + '/etc/ssl/certs', # Debian et al + '/etc/pki/tls/certs/ca-bundle.trust.crt', + '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', + '/System/Library/OpenSSL', # OSX + ) ); + } + + foreach( $certLocations as $key => $cert ) { + if ( is_dir( $cert ) ) { + $certOptions['capath'] = $cert; + break; + } elseif ( is_file( $cert ) ) { + $certOptions['cafile'] = $cert; + break; + } elseif ( $key === 'manual' ) { + // fail more loudly if a cert path was manually configured and it is not valid + throw new DomainException( "Invalid CA info passed: $cert" ); + } + } + + return $certOptions; + } + public function execute() { wfProfileIn( __METHOD__ ); @@ -886,13 +930,7 @@ $options['ssl']['CN_match'] = $this->parsedUrl['host']; } - if ( is_dir( $this->caInfo ) ) { - $options['ssl']['capath'] = $this->caInfo; - } elseif ( is_file( $this->caInfo ) ) { - $options['ssl']['cafile'] = $this->caInfo; - } elseif ( $this->caInfo ) { - throw new MWException( "Invalid CA info passed: {$this->caInfo}" ); - } + $options['ssl'] += $this->getCertOptions(); $context = stream_context_create( $options ); -- To view, visit https://gerrit.wikimedia.org/r/237000 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 Gerrit-PatchSet: 2 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_23 Gerrit-Owner: Gergő TiszaGerrit-Reviewer: Brian Wolff Gerrit-Reviewer: BryanDavis Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged. Change subject: Use system default location for cafile when using php fopen. .. Use system default location for cafile when using php fopen. Up to 5.5, PHP does not accept any certificates if cafile/capath is not set. (From 5.6 it uses the system default CA budle, which is going to be a better choice than anything we can guess.) So try to guess the location of the system default CA bundle. Won't work on windows, but that's a lost cause anyway because PHP (pre-5.6) can't handle the windows CA file format. Bug: T75203 Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 (cherry picked from commit bcc31a9a0fa77e91c4f3ad4a7f0e056d4bf5e713) --- M includes/HttpFunctions.php 1 file changed, 45 insertions(+), 7 deletions(-) Approvals: BryanDavis: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 8e05f59..a6624ff 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -860,6 +860,50 @@ return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port']; } + /** +* Returns an array with a 'capath' or 'cafile' key that is suitable to be merged into the 'ssl' sub-array of a +* stream context options array. Uses the 'caInfo' option of the class if it is provided, otherwise uses the system +* default CA bundle if PHP supports that, or searches a few standard locations. +* @return array +* @throws DomainException +*/ + protected function getCertOptions() { + $certOptions = array(); + $certLocations = array(); + if ( $this->caInfo ) { + $certLocations = array( 'manual' => $this->caInfo ); + } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) { + // Default locations, based on + // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ + // PHP 5.5 and older doesn't have any defaults, so we try to guess ourselves. PHP 5.6+ gets the CA location + // from OpenSSL as long as it is not set manually, so we should leave capath/cafile empty there. + $certLocations = array_filter( array( + getenv( 'SSL_CERT_DIR' ), + getenv( 'SSL_CERT_PATH' ), + '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et al + '/etc/ssl/certs', # Debian et al + '/etc/pki/tls/certs/ca-bundle.trust.crt', + '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', + '/System/Library/OpenSSL', # OSX + ) ); + } + + foreach( $certLocations as $key => $cert ) { + if ( is_dir( $cert ) ) { + $certOptions['capath'] = $cert; + break; + } elseif ( is_file( $cert ) ) { + $certOptions['cafile'] = $cert; + break; + } elseif ( $key === 'manual' ) { + // fail more loudly if a cert path was manually configured and it is not valid + throw new DomainException( "Invalid CA info passed: $cert" ); + } + } + + return $certOptions; + } + public function execute() { parent::execute(); @@ -915,13 +959,7 @@ $options['ssl']['CN_match'] = $this->parsedUrl['host']; } - if ( is_dir( $this->caInfo ) ) { - $options['ssl']['capath'] = $this->caInfo; - } elseif ( is_file( $this->caInfo ) ) { - $options['ssl']['cafile'] = $this->caInfo; - } elseif ( $this->caInfo ) { - throw new MWException( "Invalid CA info passed: {$this->caInfo}" ); - } + $options['ssl'] += $this->getCertOptions(); $context = stream_context_create( $options ); -- To view, visit https://gerrit.wikimedia.org/r/237003 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_25 Gerrit-Owner: Gergő TiszaGerrit-Reviewer: Brian Wolff Gerrit-Reviewer: BryanDavis Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged. Change subject: Use system default location for cafile when using php fopen. .. Use system default location for cafile when using php fopen. Up to 5.5, PHP does not accept any certificates if cafile/capath is not set. (From 5.6 it uses the system default CA budle, which is going to be a better choice than anything we can guess.) So try to guess the location of the system default CA bundle. Won't work on windows, but that's a lost cause anyway because PHP (pre-5.6) can't handle the windows CA file format. Bug: T75203 Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 --- M includes/HttpFunctions.php 1 file changed, 45 insertions(+), 7 deletions(-) Approvals: Anomie: Looks good to me, approved BBlack: Looks good to me, but someone else must approve jenkins-bot: Verified diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 1c79485..24c0dfc 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -865,6 +865,50 @@ return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port']; } + /** +* Returns an array with a 'capath' or 'cafile' key that is suitable to be merged into the 'ssl' sub-array of a +* stream context options array. Uses the 'caInfo' option of the class if it is provided, otherwise uses the system +* default CA bundle if PHP supports that, or searches a few standard locations. +* @return array +* @throws DomainException +*/ + protected function getCertOptions() { + $certOptions = array(); + $certLocations = array(); + if ( $this->caInfo ) { + $certLocations = array( 'manual' => $this->caInfo ); + } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) { + // Default locations, based on + // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ + // PHP 5.5 and older doesn't have any defaults, so we try to guess ourselves. PHP 5.6+ gets the CA location + // from OpenSSL as long as it is not set manually, so we should leave capath/cafile empty there. + $certLocations = array_filter( array( + getenv( 'SSL_CERT_DIR' ), + getenv( 'SSL_CERT_PATH' ), + '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et al + '/etc/ssl/certs', # Debian et al + '/etc/pki/tls/certs/ca-bundle.trust.crt', + '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', + '/System/Library/OpenSSL', # OSX + ) ); + } + + foreach( $certLocations as $key => $cert ) { + if ( is_dir( $cert ) ) { + $certOptions['capath'] = $cert; + break; + } elseif ( is_file( $cert ) ) { + $certOptions['cafile'] = $cert; + break; + } elseif ( $key === 'manual' ) { + // fail more loudly if a cert path was manually configured and it is not valid + throw new DomainException( "Invalid CA info passed: $cert" ); + } + } + + return $certOptions; + } + public function execute() { parent::execute(); @@ -926,13 +970,7 @@ } } - if ( is_dir( $this->caInfo ) ) { - $options['ssl']['capath'] = $this->caInfo; - } elseif ( is_file( $this->caInfo ) ) { - $options['ssl']['cafile'] = $this->caInfo; - } elseif ( $this->caInfo ) { - throw new MWException( "Invalid CA info passed: {$this->caInfo}" ); - } + $options['ssl'] += $this->getCertOptions(); $context = stream_context_create( $options ); -- To view, visit https://gerrit.wikimedia.org/r/222079 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 Gerrit-PatchSet: 6 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Brian WolffGerrit-Reviewer: Alex Monk Gerrit-Reviewer: Anomie Gerrit-Reviewer: BBlack Gerrit-Reviewer: BryanDavis Gerrit-Reviewer: CSteipp Gerrit-Reviewer: Gergő Tisza
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
Gergő Tisza has uploaded a new change for review. https://gerrit.wikimedia.org/r/237000 Change subject: Use system default location for cafile when using php fopen. .. Use system default location for cafile when using php fopen. Up to 5.5, PHP does not accept any certificates if cafile/capath is not set. (From 5.6 it uses the system default CA budle, which is going to be a better choice than anything we can guess.) So try to guess the location of the system default CA bundle. Won't work on windows, but that's a lost cause anyway because PHP (pre-5.6) can't handle the windows CA file format. Bug: T75203 Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 (cherry picked from commit bcc31a9a0fa77e91c4f3ad4a7f0e056d4bf5e713) --- M includes/HttpFunctions.php 1 file changed, 45 insertions(+), 7 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/00/237000/1 diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 1fd437e..d0602d2 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -830,6 +830,50 @@ return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port']; } + /** +* Returns an array with a 'capath' or 'cafile' key that is suitable to be merged into the 'ssl' sub-array of a +* stream context options array. Uses the 'caInfo' option of the class if it is provided, otherwise uses the system +* default CA bundle if PHP supports that, or searches a few standard locations. +* @return array +* @throws DomainException +*/ + protected function getCertOptions() { + $certOptions = array(); + $certLocations = array(); + if ( $this->caInfo ) { + $certLocations = array( 'manual' => $this->caInfo ); + } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) { + // Default locations, based on + // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ + // PHP 5.5 and older doesn't have any defaults, so we try to guess ourselves. PHP 5.6+ gets the CA location + // from OpenSSL as long as it is not set manually, so we should leave capath/cafile empty there. + $certLocations = array_filter( array( + getenv( 'SSL_CERT_DIR' ), + getenv( 'SSL_CERT_PATH' ), + '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et al + '/etc/ssl/certs', # Debian et al + '/etc/pki/tls/certs/ca-bundle.trust.crt', + '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', + '/System/Library/OpenSSL', # OSX + ) ); + } + + foreach( $certLocations as $key => $cert ) { + if ( is_dir( $cert ) ) { + $certOptions['capath'] = $cert; + break; + } elseif ( is_file( $cert ) ) { + $certOptions['cafile'] = $cert; + break; + } elseif ( $key === 'manual' ) { + // fail more loudly if a cert path was manually configured and it is not valid + throw new DomainException( "Invalid CA info passed: $cert" ); + } + } + + return $certOptions; + } + public function execute() { wfProfileIn( __METHOD__ ); @@ -886,13 +930,7 @@ $options['ssl']['CN_match'] = $this->parsedUrl['host']; } - if ( is_dir( $this->caInfo ) ) { - $options['ssl']['capath'] = $this->caInfo; - } elseif ( is_file( $this->caInfo ) ) { - $options['ssl']['cafile'] = $this->caInfo; - } elseif ( $this->caInfo ) { - throw new MWException( "Invalid CA info passed: {$this->caInfo}" ); - } + $options['ssl'] += $this->getCertOptions(); $context = stream_context_create( $options ); -- To view, visit https://gerrit.wikimedia.org/r/237000 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_23 Gerrit-Owner: Gergő TiszaGerrit-Reviewer: Brian Wolff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
Gergő Tisza has uploaded a new change for review. https://gerrit.wikimedia.org/r/237003 Change subject: Use system default location for cafile when using php fopen. .. Use system default location for cafile when using php fopen. Up to 5.5, PHP does not accept any certificates if cafile/capath is not set. (From 5.6 it uses the system default CA budle, which is going to be a better choice than anything we can guess.) So try to guess the location of the system default CA bundle. Won't work on windows, but that's a lost cause anyway because PHP (pre-5.6) can't handle the windows CA file format. Bug: T75203 Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 (cherry picked from commit bcc31a9a0fa77e91c4f3ad4a7f0e056d4bf5e713) --- M includes/HttpFunctions.php 1 file changed, 45 insertions(+), 7 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/03/237003/1 diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 8e05f59..a6624ff 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -860,6 +860,50 @@ return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port']; } + /** +* Returns an array with a 'capath' or 'cafile' key that is suitable to be merged into the 'ssl' sub-array of a +* stream context options array. Uses the 'caInfo' option of the class if it is provided, otherwise uses the system +* default CA bundle if PHP supports that, or searches a few standard locations. +* @return array +* @throws DomainException +*/ + protected function getCertOptions() { + $certOptions = array(); + $certLocations = array(); + if ( $this->caInfo ) { + $certLocations = array( 'manual' => $this->caInfo ); + } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) { + // Default locations, based on + // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ + // PHP 5.5 and older doesn't have any defaults, so we try to guess ourselves. PHP 5.6+ gets the CA location + // from OpenSSL as long as it is not set manually, so we should leave capath/cafile empty there. + $certLocations = array_filter( array( + getenv( 'SSL_CERT_DIR' ), + getenv( 'SSL_CERT_PATH' ), + '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et al + '/etc/ssl/certs', # Debian et al + '/etc/pki/tls/certs/ca-bundle.trust.crt', + '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', + '/System/Library/OpenSSL', # OSX + ) ); + } + + foreach( $certLocations as $key => $cert ) { + if ( is_dir( $cert ) ) { + $certOptions['capath'] = $cert; + break; + } elseif ( is_file( $cert ) ) { + $certOptions['cafile'] = $cert; + break; + } elseif ( $key === 'manual' ) { + // fail more loudly if a cert path was manually configured and it is not valid + throw new DomainException( "Invalid CA info passed: $cert" ); + } + } + + return $certOptions; + } + public function execute() { parent::execute(); @@ -915,13 +959,7 @@ $options['ssl']['CN_match'] = $this->parsedUrl['host']; } - if ( is_dir( $this->caInfo ) ) { - $options['ssl']['capath'] = $this->caInfo; - } elseif ( is_file( $this->caInfo ) ) { - $options['ssl']['cafile'] = $this->caInfo; - } elseif ( $this->caInfo ) { - throw new MWException( "Invalid CA info passed: {$this->caInfo}" ); - } + $options['ssl'] += $this->getCertOptions(); $context = stream_context_create( $options ); -- To view, visit https://gerrit.wikimedia.org/r/237003 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_25 Gerrit-Owner: Gergő TiszaGerrit-Reviewer: Brian Wolff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
Gergő Tisza has uploaded a new change for review. https://gerrit.wikimedia.org/r/237002 Change subject: Use system default location for cafile when using php fopen. .. Use system default location for cafile when using php fopen. Up to 5.5, PHP does not accept any certificates if cafile/capath is not set. (From 5.6 it uses the system default CA budle, which is going to be a better choice than anything we can guess.) So try to guess the location of the system default CA bundle. Won't work on windows, but that's a lost cause anyway because PHP (pre-5.6) can't handle the windows CA file format. Bug: T75203 Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 (cherry picked from commit bcc31a9a0fa77e91c4f3ad4a7f0e056d4bf5e713) --- M includes/HttpFunctions.php 1 file changed, 45 insertions(+), 7 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/02/237002/1 diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 8302124..349ace3 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -831,6 +831,50 @@ return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port']; } + /** +* Returns an array with a 'capath' or 'cafile' key that is suitable to be merged into the 'ssl' sub-array of a +* stream context options array. Uses the 'caInfo' option of the class if it is provided, otherwise uses the system +* default CA bundle if PHP supports that, or searches a few standard locations. +* @return array +* @throws DomainException +*/ + protected function getCertOptions() { + $certOptions = array(); + $certLocations = array(); + if ( $this->caInfo ) { + $certLocations = array( 'manual' => $this->caInfo ); + } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) { + // Default locations, based on + // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ + // PHP 5.5 and older doesn't have any defaults, so we try to guess ourselves. PHP 5.6+ gets the CA location + // from OpenSSL as long as it is not set manually, so we should leave capath/cafile empty there. + $certLocations = array_filter( array( + getenv( 'SSL_CERT_DIR' ), + getenv( 'SSL_CERT_PATH' ), + '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et al + '/etc/ssl/certs', # Debian et al + '/etc/pki/tls/certs/ca-bundle.trust.crt', + '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', + '/System/Library/OpenSSL', # OSX + ) ); + } + + foreach( $certLocations as $key => $cert ) { + if ( is_dir( $cert ) ) { + $certOptions['capath'] = $cert; + break; + } elseif ( is_file( $cert ) ) { + $certOptions['cafile'] = $cert; + break; + } elseif ( $key === 'manual' ) { + // fail more loudly if a cert path was manually configured and it is not valid + throw new DomainException( "Invalid CA info passed: $cert" ); + } + } + + return $certOptions; + } + public function execute() { wfProfileIn( __METHOD__ ); @@ -887,13 +931,7 @@ $options['ssl']['CN_match'] = $this->parsedUrl['host']; } - if ( is_dir( $this->caInfo ) ) { - $options['ssl']['capath'] = $this->caInfo; - } elseif ( is_file( $this->caInfo ) ) { - $options['ssl']['cafile'] = $this->caInfo; - } elseif ( $this->caInfo ) { - throw new MWException( "Invalid CA info passed: {$this->caInfo}" ); - } + $options['ssl'] += $this->getCertOptions(); $context = stream_context_create( $options ); -- To view, visit https://gerrit.wikimedia.org/r/237002 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_24 Gerrit-Owner: Gergő TiszaGerrit-Reviewer: Brian Wolff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
Brian Wolff has uploaded a new change for review. https://gerrit.wikimedia.org/r/222079 Change subject: Use system default location for cafile when using php fopen. .. Use system default location for cafile when using php fopen. If not set, php appears to just use no CA's, and just explode. Still won't work on windows. Only possible downside is if some future of PHP actually makes fopen ssl wrapper sane, and this overrides a sane default behaviour. Bug: T75203 Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 --- M includes/HttpFunctions.php 1 file changed, 23 insertions(+), 6 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/79/222079/1 diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php index 825cd06..240fa14 100644 --- a/includes/HttpFunctions.php +++ b/includes/HttpFunctions.php @@ -915,12 +915,29 @@ $options['ssl']['CN_match'] = $this-parsedUrl['host']; } - if ( is_dir( $this-caInfo ) ) { - $options['ssl']['capath'] = $this-caInfo; - } elseif ( is_file( $this-caInfo ) ) { - $options['ssl']['cafile'] = $this-caInfo; - } elseif ( $this-caInfo ) { - throw new MWException( Invalid CA info passed: {$this-caInfo} ); + if ( $this-caInfo ) { + $certLocations = array( $this-caInfo ); + } else { + // Default locations, based on + // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ + // PHP doesn't seem to have sane defaults, so we set ourselves. + $certLocations = array( + '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et al + '/etc/ssl/certs', # Debian et al + '/etc/pki/tls/certs/ca-bundle.trust.crt', + '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', + '/System/Library/OpenSSL', # OSX + ); + } + + foreach( $certLocations as $cert ) { + if ( is_dir( $cert ) ) { + $options['ssl']['capath'] = $cert; + break; + } elseif ( is_file( $cert ) ) { + $options['ssl']['cafile'] = $cert; + break; + } } $context = stream_context_create( $options ); -- To view, visit https://gerrit.wikimedia.org/r/222079 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Brian Wolff bawolff...@gmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits