[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged.
Change subject: Use system default location for cafile when using php fopen.
..
Use system default location for cafile when using php fopen.
Up to 5.5, PHP does not accept any certificates if cafile/capath
is not set. (From 5.6 it uses the system default CA budle, which is
going to be a better choice than anything we can guess.) So try
to guess the location of the system default CA bundle.
Won't work on windows, but that's a lost cause anyway because PHP
(pre-5.6) can't handle the windows CA file format.
Bug: T75203
Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
(cherry picked from commit bcc31a9a0fa77e91c4f3ad4a7f0e056d4bf5e713)
---
M includes/HttpFunctions.php
1 file changed, 45 insertions(+), 7 deletions(-)
Approvals:
BryanDavis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 8302124..349ace3 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -831,6 +831,50 @@
return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port'];
}
+ /**
+* Returns an array with a 'capath' or 'cafile' key that is suitable to
be merged into the 'ssl' sub-array of a
+* stream context options array. Uses the 'caInfo' option of the class
if it is provided, otherwise uses the system
+* default CA bundle if PHP supports that, or searches a few standard
locations.
+* @return array
+* @throws DomainException
+*/
+ protected function getCertOptions() {
+ $certOptions = array();
+ $certLocations = array();
+ if ( $this->caInfo ) {
+ $certLocations = array( 'manual' => $this->caInfo );
+ } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) {
+ // Default locations, based on
+ //
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+ // PHP 5.5 and older doesn't have any defaults, so we
try to guess ourselves. PHP 5.6+ gets the CA location
+ // from OpenSSL as long as it is not set manually, so
we should leave capath/cafile empty there.
+ $certLocations = array_filter( array(
+ getenv( 'SSL_CERT_DIR' ),
+ getenv( 'SSL_CERT_PATH' ),
+ '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et
al
+ '/etc/ssl/certs', # Debian et al
+ '/etc/pki/tls/certs/ca-bundle.trust.crt',
+
'/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
+ '/System/Library/OpenSSL', # OSX
+ ) );
+ }
+
+ foreach( $certLocations as $key => $cert ) {
+ if ( is_dir( $cert ) ) {
+ $certOptions['capath'] = $cert;
+ break;
+ } elseif ( is_file( $cert ) ) {
+ $certOptions['cafile'] = $cert;
+ break;
+ } elseif ( $key === 'manual' ) {
+ // fail more loudly if a cert path was manually
configured and it is not valid
+ throw new DomainException( "Invalid CA info
passed: $cert" );
+ }
+ }
+
+ return $certOptions;
+ }
+
public function execute() {
wfProfileIn( __METHOD__ );
@@ -887,13 +931,7 @@
$options['ssl']['CN_match'] = $this->parsedUrl['host'];
}
- if ( is_dir( $this->caInfo ) ) {
- $options['ssl']['capath'] = $this->caInfo;
- } elseif ( is_file( $this->caInfo ) ) {
- $options['ssl']['cafile'] = $this->caInfo;
- } elseif ( $this->caInfo ) {
- throw new MWException( "Invalid CA info passed:
{$this->caInfo}" );
- }
+ $options['ssl'] += $this->getCertOptions();
$context = stream_context_create( $options );
--
To view, visit https://gerrit.wikimedia.org/r/237002
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_24
Gerrit-Owner: Gergő Tisza
Gerrit-Reviewer: Brian Wolff
Gerrit-Reviewer: BryanDavis
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged.
Change subject: Use system default location for cafile when using php fopen.
..
Use system default location for cafile when using php fopen.
Up to 5.5, PHP does not accept any certificates if cafile/capath
is not set. (From 5.6 it uses the system default CA budle, which is
going to be a better choice than anything we can guess.) So try
to guess the location of the system default CA bundle.
Won't work on windows, but that's a lost cause anyway because PHP
(pre-5.6) can't handle the windows CA file format.
Bug: T75203
Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
(cherry picked from commit bcc31a9a0fa77e91c4f3ad4a7f0e056d4bf5e713)
---
M includes/HttpFunctions.php
1 file changed, 45 insertions(+), 7 deletions(-)
Approvals:
BryanDavis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 1fd437e..d0602d2 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -830,6 +830,50 @@
return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port'];
}
+ /**
+* Returns an array with a 'capath' or 'cafile' key that is suitable to
be merged into the 'ssl' sub-array of a
+* stream context options array. Uses the 'caInfo' option of the class
if it is provided, otherwise uses the system
+* default CA bundle if PHP supports that, or searches a few standard
locations.
+* @return array
+* @throws DomainException
+*/
+ protected function getCertOptions() {
+ $certOptions = array();
+ $certLocations = array();
+ if ( $this->caInfo ) {
+ $certLocations = array( 'manual' => $this->caInfo );
+ } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) {
+ // Default locations, based on
+ //
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+ // PHP 5.5 and older doesn't have any defaults, so we
try to guess ourselves. PHP 5.6+ gets the CA location
+ // from OpenSSL as long as it is not set manually, so
we should leave capath/cafile empty there.
+ $certLocations = array_filter( array(
+ getenv( 'SSL_CERT_DIR' ),
+ getenv( 'SSL_CERT_PATH' ),
+ '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et
al
+ '/etc/ssl/certs', # Debian et al
+ '/etc/pki/tls/certs/ca-bundle.trust.crt',
+
'/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
+ '/System/Library/OpenSSL', # OSX
+ ) );
+ }
+
+ foreach( $certLocations as $key => $cert ) {
+ if ( is_dir( $cert ) ) {
+ $certOptions['capath'] = $cert;
+ break;
+ } elseif ( is_file( $cert ) ) {
+ $certOptions['cafile'] = $cert;
+ break;
+ } elseif ( $key === 'manual' ) {
+ // fail more loudly if a cert path was manually
configured and it is not valid
+ throw new DomainException( "Invalid CA info
passed: $cert" );
+ }
+ }
+
+ return $certOptions;
+ }
+
public function execute() {
wfProfileIn( __METHOD__ );
@@ -886,13 +930,7 @@
$options['ssl']['CN_match'] = $this->parsedUrl['host'];
}
- if ( is_dir( $this->caInfo ) ) {
- $options['ssl']['capath'] = $this->caInfo;
- } elseif ( is_file( $this->caInfo ) ) {
- $options['ssl']['cafile'] = $this->caInfo;
- } elseif ( $this->caInfo ) {
- throw new MWException( "Invalid CA info passed:
{$this->caInfo}" );
- }
+ $options['ssl'] += $this->getCertOptions();
$context = stream_context_create( $options );
--
To view, visit https://gerrit.wikimedia.org/r/237000
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: Gergő Tisza
Gerrit-Reviewer: Brian Wolff
Gerrit-Reviewer: BryanDavis
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged.
Change subject: Use system default location for cafile when using php fopen.
..
Use system default location for cafile when using php fopen.
Up to 5.5, PHP does not accept any certificates if cafile/capath
is not set. (From 5.6 it uses the system default CA budle, which is
going to be a better choice than anything we can guess.) So try
to guess the location of the system default CA bundle.
Won't work on windows, but that's a lost cause anyway because PHP
(pre-5.6) can't handle the windows CA file format.
Bug: T75203
Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
(cherry picked from commit bcc31a9a0fa77e91c4f3ad4a7f0e056d4bf5e713)
---
M includes/HttpFunctions.php
1 file changed, 45 insertions(+), 7 deletions(-)
Approvals:
BryanDavis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 8e05f59..a6624ff 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -860,6 +860,50 @@
return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port'];
}
+ /**
+* Returns an array with a 'capath' or 'cafile' key that is suitable to
be merged into the 'ssl' sub-array of a
+* stream context options array. Uses the 'caInfo' option of the class
if it is provided, otherwise uses the system
+* default CA bundle if PHP supports that, or searches a few standard
locations.
+* @return array
+* @throws DomainException
+*/
+ protected function getCertOptions() {
+ $certOptions = array();
+ $certLocations = array();
+ if ( $this->caInfo ) {
+ $certLocations = array( 'manual' => $this->caInfo );
+ } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) {
+ // Default locations, based on
+ //
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+ // PHP 5.5 and older doesn't have any defaults, so we
try to guess ourselves. PHP 5.6+ gets the CA location
+ // from OpenSSL as long as it is not set manually, so
we should leave capath/cafile empty there.
+ $certLocations = array_filter( array(
+ getenv( 'SSL_CERT_DIR' ),
+ getenv( 'SSL_CERT_PATH' ),
+ '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et
al
+ '/etc/ssl/certs', # Debian et al
+ '/etc/pki/tls/certs/ca-bundle.trust.crt',
+
'/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
+ '/System/Library/OpenSSL', # OSX
+ ) );
+ }
+
+ foreach( $certLocations as $key => $cert ) {
+ if ( is_dir( $cert ) ) {
+ $certOptions['capath'] = $cert;
+ break;
+ } elseif ( is_file( $cert ) ) {
+ $certOptions['cafile'] = $cert;
+ break;
+ } elseif ( $key === 'manual' ) {
+ // fail more loudly if a cert path was manually
configured and it is not valid
+ throw new DomainException( "Invalid CA info
passed: $cert" );
+ }
+ }
+
+ return $certOptions;
+ }
+
public function execute() {
parent::execute();
@@ -915,13 +959,7 @@
$options['ssl']['CN_match'] = $this->parsedUrl['host'];
}
- if ( is_dir( $this->caInfo ) ) {
- $options['ssl']['capath'] = $this->caInfo;
- } elseif ( is_file( $this->caInfo ) ) {
- $options['ssl']['cafile'] = $this->caInfo;
- } elseif ( $this->caInfo ) {
- throw new MWException( "Invalid CA info passed:
{$this->caInfo}" );
- }
+ $options['ssl'] += $this->getCertOptions();
$context = stream_context_create( $options );
--
To view, visit https://gerrit.wikimedia.org/r/237003
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_25
Gerrit-Owner: Gergő Tisza
Gerrit-Reviewer: Brian Wolff
Gerrit-Reviewer: BryanDavis
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
jenkins-bot has submitted this change and it was merged.
Change subject: Use system default location for cafile when using php fopen.
..
Use system default location for cafile when using php fopen.
Up to 5.5, PHP does not accept any certificates if cafile/capath
is not set. (From 5.6 it uses the system default CA budle, which is
going to be a better choice than anything we can guess.) So try
to guess the location of the system default CA bundle.
Won't work on windows, but that's a lost cause anyway because PHP
(pre-5.6) can't handle the windows CA file format.
Bug: T75203
Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
---
M includes/HttpFunctions.php
1 file changed, 45 insertions(+), 7 deletions(-)
Approvals:
Anomie: Looks good to me, approved
BBlack: Looks good to me, but someone else must approve
jenkins-bot: Verified
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 1c79485..24c0dfc 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -865,6 +865,50 @@
return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port'];
}
+ /**
+* Returns an array with a 'capath' or 'cafile' key that is suitable to
be merged into the 'ssl' sub-array of a
+* stream context options array. Uses the 'caInfo' option of the class
if it is provided, otherwise uses the system
+* default CA bundle if PHP supports that, or searches a few standard
locations.
+* @return array
+* @throws DomainException
+*/
+ protected function getCertOptions() {
+ $certOptions = array();
+ $certLocations = array();
+ if ( $this->caInfo ) {
+ $certLocations = array( 'manual' => $this->caInfo );
+ } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) {
+ // Default locations, based on
+ //
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+ // PHP 5.5 and older doesn't have any defaults, so we
try to guess ourselves. PHP 5.6+ gets the CA location
+ // from OpenSSL as long as it is not set manually, so
we should leave capath/cafile empty there.
+ $certLocations = array_filter( array(
+ getenv( 'SSL_CERT_DIR' ),
+ getenv( 'SSL_CERT_PATH' ),
+ '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et
al
+ '/etc/ssl/certs', # Debian et al
+ '/etc/pki/tls/certs/ca-bundle.trust.crt',
+
'/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
+ '/System/Library/OpenSSL', # OSX
+ ) );
+ }
+
+ foreach( $certLocations as $key => $cert ) {
+ if ( is_dir( $cert ) ) {
+ $certOptions['capath'] = $cert;
+ break;
+ } elseif ( is_file( $cert ) ) {
+ $certOptions['cafile'] = $cert;
+ break;
+ } elseif ( $key === 'manual' ) {
+ // fail more loudly if a cert path was manually
configured and it is not valid
+ throw new DomainException( "Invalid CA info
passed: $cert" );
+ }
+ }
+
+ return $certOptions;
+ }
+
public function execute() {
parent::execute();
@@ -926,13 +970,7 @@
}
}
- if ( is_dir( $this->caInfo ) ) {
- $options['ssl']['capath'] = $this->caInfo;
- } elseif ( is_file( $this->caInfo ) ) {
- $options['ssl']['cafile'] = $this->caInfo;
- } elseif ( $this->caInfo ) {
- throw new MWException( "Invalid CA info passed:
{$this->caInfo}" );
- }
+ $options['ssl'] += $this->getCertOptions();
$context = stream_context_create( $options );
--
To view, visit https://gerrit.wikimedia.org/r/222079
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
Gerrit-PatchSet: 6
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Brian Wolff
Gerrit-Reviewer: Alex Monk
Gerrit-Reviewer: Anomie
Gerrit-Reviewer: BBlack
Gerrit-Reviewer: BryanDavis
Gerrit-Reviewer: CSteipp
Gerrit-Reviewer: Gergő Tisza
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
Gergő Tisza has uploaded a new change for review.
https://gerrit.wikimedia.org/r/237000
Change subject: Use system default location for cafile when using php fopen.
..
Use system default location for cafile when using php fopen.
Up to 5.5, PHP does not accept any certificates if cafile/capath
is not set. (From 5.6 it uses the system default CA budle, which is
going to be a better choice than anything we can guess.) So try
to guess the location of the system default CA bundle.
Won't work on windows, but that's a lost cause anyway because PHP
(pre-5.6) can't handle the windows CA file format.
Bug: T75203
Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
(cherry picked from commit bcc31a9a0fa77e91c4f3ad4a7f0e056d4bf5e713)
---
M includes/HttpFunctions.php
1 file changed, 45 insertions(+), 7 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/00/237000/1
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 1fd437e..d0602d2 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -830,6 +830,50 @@
return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port'];
}
+ /**
+* Returns an array with a 'capath' or 'cafile' key that is suitable to
be merged into the 'ssl' sub-array of a
+* stream context options array. Uses the 'caInfo' option of the class
if it is provided, otherwise uses the system
+* default CA bundle if PHP supports that, or searches a few standard
locations.
+* @return array
+* @throws DomainException
+*/
+ protected function getCertOptions() {
+ $certOptions = array();
+ $certLocations = array();
+ if ( $this->caInfo ) {
+ $certLocations = array( 'manual' => $this->caInfo );
+ } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) {
+ // Default locations, based on
+ //
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+ // PHP 5.5 and older doesn't have any defaults, so we
try to guess ourselves. PHP 5.6+ gets the CA location
+ // from OpenSSL as long as it is not set manually, so
we should leave capath/cafile empty there.
+ $certLocations = array_filter( array(
+ getenv( 'SSL_CERT_DIR' ),
+ getenv( 'SSL_CERT_PATH' ),
+ '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et
al
+ '/etc/ssl/certs', # Debian et al
+ '/etc/pki/tls/certs/ca-bundle.trust.crt',
+
'/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
+ '/System/Library/OpenSSL', # OSX
+ ) );
+ }
+
+ foreach( $certLocations as $key => $cert ) {
+ if ( is_dir( $cert ) ) {
+ $certOptions['capath'] = $cert;
+ break;
+ } elseif ( is_file( $cert ) ) {
+ $certOptions['cafile'] = $cert;
+ break;
+ } elseif ( $key === 'manual' ) {
+ // fail more loudly if a cert path was manually
configured and it is not valid
+ throw new DomainException( "Invalid CA info
passed: $cert" );
+ }
+ }
+
+ return $certOptions;
+ }
+
public function execute() {
wfProfileIn( __METHOD__ );
@@ -886,13 +930,7 @@
$options['ssl']['CN_match'] = $this->parsedUrl['host'];
}
- if ( is_dir( $this->caInfo ) ) {
- $options['ssl']['capath'] = $this->caInfo;
- } elseif ( is_file( $this->caInfo ) ) {
- $options['ssl']['cafile'] = $this->caInfo;
- } elseif ( $this->caInfo ) {
- throw new MWException( "Invalid CA info passed:
{$this->caInfo}" );
- }
+ $options['ssl'] += $this->getCertOptions();
$context = stream_context_create( $options );
--
To view, visit https://gerrit.wikimedia.org/r/237000
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: Gergő Tisza
Gerrit-Reviewer: Brian Wolff
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
Gergő Tisza has uploaded a new change for review.
https://gerrit.wikimedia.org/r/237003
Change subject: Use system default location for cafile when using php fopen.
..
Use system default location for cafile when using php fopen.
Up to 5.5, PHP does not accept any certificates if cafile/capath
is not set. (From 5.6 it uses the system default CA budle, which is
going to be a better choice than anything we can guess.) So try
to guess the location of the system default CA bundle.
Won't work on windows, but that's a lost cause anyway because PHP
(pre-5.6) can't handle the windows CA file format.
Bug: T75203
Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
(cherry picked from commit bcc31a9a0fa77e91c4f3ad4a7f0e056d4bf5e713)
---
M includes/HttpFunctions.php
1 file changed, 45 insertions(+), 7 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/03/237003/1
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 8e05f59..a6624ff 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -860,6 +860,50 @@
return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port'];
}
+ /**
+* Returns an array with a 'capath' or 'cafile' key that is suitable to
be merged into the 'ssl' sub-array of a
+* stream context options array. Uses the 'caInfo' option of the class
if it is provided, otherwise uses the system
+* default CA bundle if PHP supports that, or searches a few standard
locations.
+* @return array
+* @throws DomainException
+*/
+ protected function getCertOptions() {
+ $certOptions = array();
+ $certLocations = array();
+ if ( $this->caInfo ) {
+ $certLocations = array( 'manual' => $this->caInfo );
+ } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) {
+ // Default locations, based on
+ //
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+ // PHP 5.5 and older doesn't have any defaults, so we
try to guess ourselves. PHP 5.6+ gets the CA location
+ // from OpenSSL as long as it is not set manually, so
we should leave capath/cafile empty there.
+ $certLocations = array_filter( array(
+ getenv( 'SSL_CERT_DIR' ),
+ getenv( 'SSL_CERT_PATH' ),
+ '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et
al
+ '/etc/ssl/certs', # Debian et al
+ '/etc/pki/tls/certs/ca-bundle.trust.crt',
+
'/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
+ '/System/Library/OpenSSL', # OSX
+ ) );
+ }
+
+ foreach( $certLocations as $key => $cert ) {
+ if ( is_dir( $cert ) ) {
+ $certOptions['capath'] = $cert;
+ break;
+ } elseif ( is_file( $cert ) ) {
+ $certOptions['cafile'] = $cert;
+ break;
+ } elseif ( $key === 'manual' ) {
+ // fail more loudly if a cert path was manually
configured and it is not valid
+ throw new DomainException( "Invalid CA info
passed: $cert" );
+ }
+ }
+
+ return $certOptions;
+ }
+
public function execute() {
parent::execute();
@@ -915,13 +959,7 @@
$options['ssl']['CN_match'] = $this->parsedUrl['host'];
}
- if ( is_dir( $this->caInfo ) ) {
- $options['ssl']['capath'] = $this->caInfo;
- } elseif ( is_file( $this->caInfo ) ) {
- $options['ssl']['cafile'] = $this->caInfo;
- } elseif ( $this->caInfo ) {
- throw new MWException( "Invalid CA info passed:
{$this->caInfo}" );
- }
+ $options['ssl'] += $this->getCertOptions();
$context = stream_context_create( $options );
--
To view, visit https://gerrit.wikimedia.org/r/237003
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_25
Gerrit-Owner: Gergő Tisza
Gerrit-Reviewer: Brian Wolff
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
Gergő Tisza has uploaded a new change for review.
https://gerrit.wikimedia.org/r/237002
Change subject: Use system default location for cafile when using php fopen.
..
Use system default location for cafile when using php fopen.
Up to 5.5, PHP does not accept any certificates if cafile/capath
is not set. (From 5.6 it uses the system default CA budle, which is
going to be a better choice than anything we can guess.) So try
to guess the location of the system default CA bundle.
Won't work on windows, but that's a lost cause anyway because PHP
(pre-5.6) can't handle the windows CA file format.
Bug: T75203
Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
(cherry picked from commit bcc31a9a0fa77e91c4f3ad4a7f0e056d4bf5e713)
---
M includes/HttpFunctions.php
1 file changed, 45 insertions(+), 7 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/02/237002/1
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 8302124..349ace3 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -831,6 +831,50 @@
return 'tcp://' . $parsedUrl['host'] . ':' . $parsedUrl['port'];
}
+ /**
+* Returns an array with a 'capath' or 'cafile' key that is suitable to
be merged into the 'ssl' sub-array of a
+* stream context options array. Uses the 'caInfo' option of the class
if it is provided, otherwise uses the system
+* default CA bundle if PHP supports that, or searches a few standard
locations.
+* @return array
+* @throws DomainException
+*/
+ protected function getCertOptions() {
+ $certOptions = array();
+ $certLocations = array();
+ if ( $this->caInfo ) {
+ $certLocations = array( 'manual' => $this->caInfo );
+ } elseif ( version_compare( PHP_VERSION, '5.6.0', '<' ) ) {
+ // Default locations, based on
+ //
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+ // PHP 5.5 and older doesn't have any defaults, so we
try to guess ourselves. PHP 5.6+ gets the CA location
+ // from OpenSSL as long as it is not set manually, so
we should leave capath/cafile empty there.
+ $certLocations = array_filter( array(
+ getenv( 'SSL_CERT_DIR' ),
+ getenv( 'SSL_CERT_PATH' ),
+ '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et
al
+ '/etc/ssl/certs', # Debian et al
+ '/etc/pki/tls/certs/ca-bundle.trust.crt',
+
'/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
+ '/System/Library/OpenSSL', # OSX
+ ) );
+ }
+
+ foreach( $certLocations as $key => $cert ) {
+ if ( is_dir( $cert ) ) {
+ $certOptions['capath'] = $cert;
+ break;
+ } elseif ( is_file( $cert ) ) {
+ $certOptions['cafile'] = $cert;
+ break;
+ } elseif ( $key === 'manual' ) {
+ // fail more loudly if a cert path was manually
configured and it is not valid
+ throw new DomainException( "Invalid CA info
passed: $cert" );
+ }
+ }
+
+ return $certOptions;
+ }
+
public function execute() {
wfProfileIn( __METHOD__ );
@@ -887,13 +931,7 @@
$options['ssl']['CN_match'] = $this->parsedUrl['host'];
}
- if ( is_dir( $this->caInfo ) ) {
- $options['ssl']['capath'] = $this->caInfo;
- } elseif ( is_file( $this->caInfo ) ) {
- $options['ssl']['cafile'] = $this->caInfo;
- } elseif ( $this->caInfo ) {
- throw new MWException( "Invalid CA info passed:
{$this->caInfo}" );
- }
+ $options['ssl'] += $this->getCertOptions();
$context = stream_context_create( $options );
--
To view, visit https://gerrit.wikimedia.org/r/237002
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_24
Gerrit-Owner: Gergő Tisza
Gerrit-Reviewer: Brian Wolff
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
[MediaWiki-commits] [Gerrit] Use system default location for cafile when using php fopen. - change (mediawiki/core)
Brian Wolff has uploaded a new change for review.
https://gerrit.wikimedia.org/r/222079
Change subject: Use system default location for cafile when using php fopen.
..
Use system default location for cafile when using php fopen.
If not set, php appears to just use no CA's, and just explode.
Still won't work on windows.
Only possible downside is if some future of PHP actually makes
fopen ssl wrapper sane, and this overrides a sane default behaviour.
Bug: T75203
Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
---
M includes/HttpFunctions.php
1 file changed, 23 insertions(+), 6 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/79/222079/1
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 825cd06..240fa14 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -915,12 +915,29 @@
$options['ssl']['CN_match'] = $this-parsedUrl['host'];
}
- if ( is_dir( $this-caInfo ) ) {
- $options['ssl']['capath'] = $this-caInfo;
- } elseif ( is_file( $this-caInfo ) ) {
- $options['ssl']['cafile'] = $this-caInfo;
- } elseif ( $this-caInfo ) {
- throw new MWException( Invalid CA info passed:
{$this-caInfo} );
+ if ( $this-caInfo ) {
+ $certLocations = array( $this-caInfo );
+ } else {
+ // Default locations, based on
+ //
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+ // PHP doesn't seem to have sane defaults, so we set
ourselves.
+ $certLocations = array(
+ '/etc/pki/tls/certs/ca-bundle.crt', # Fedora et
al
+ '/etc/ssl/certs', # Debian et al
+ '/etc/pki/tls/certs/ca-bundle.trust.crt',
+
'/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
+ '/System/Library/OpenSSL', # OSX
+ );
+ }
+
+ foreach( $certLocations as $cert ) {
+ if ( is_dir( $cert ) ) {
+ $options['ssl']['capath'] = $cert;
+ break;
+ } elseif ( is_file( $cert ) ) {
+ $options['ssl']['cafile'] = $cert;
+ break;
+ }
}
$context = stream_context_create( $options );
--
To view, visit https://gerrit.wikimedia.org/r/222079
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I07736c150fe0783e09d297395ed25adf335edbd3
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Brian Wolff bawolff...@gmail.com
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
