In order for curl to verify a peer, the curl library must know where the
trusted certificate authority certificates are.
This is usually done by either putting all the trusted certs in one file
or a directory of them which is indexed using an openssl utility. ( at
least this it true on most Linux implementations )
Reading one php reference it is possible to specify the CURLOP_CAINFO (
all trusted certificate authority certs in one file ) by setting some
environment variable with the full path to the file containing the
certs. I suppose this could be done by setting that in the apache conf,
but I prefer the path method, and programatic control.
The enclosed patch adds two variables, and two functions to set the
variables in the xmlrpc client class. The patch also hopefully correctly
implements them where needed.
I have successfully tested these on a Linux dstribution.
Regards,
Jim
diff -uNr xmlrpc.orig/debugger/action.php xmlrpc/debugger/action.php
--- xmlrpc.orig/debugger/action.php 2006-01-22 16:59:52.0 -0700
+++ xmlrpc/debugger/action.php 2006-04-03 13:11:07.673994700 -0700
@@ -57,6 +57,17 @@
if ($protocol == 2)
{
$client->setSSLVerifyPeer($verifypeer);
+ if($verifypeer)
+ {
+ if($cainfo)
+ {
+ $client->setCAInfo($cainfo);
+ }
+ if($capath)
+ {
+ $client->setCAPath($capath);
+ }
+ }
$client->setSSLVerifyHost($verifyhost);
$httpprotocol = 'https';
}
diff -uNr xmlrpc.orig/debugger/common.php xmlrpc/debugger/common.php
--- xmlrpc.orig/debugger/common.php 2006-01-22 16:59:52.0 -0700
+++ xmlrpc/debugger/common.php 2006-04-03 12:48:37.627414700 -0700
@@ -63,6 +63,9 @@
$responsecompression = $_GET['responsecompression'];
$clientcookies = isset($_GET['clientcookies']) ? $_GET['clientcookies'] :
'';
+
+$cainfo = isset($_GET['cainfo']) ? $_GET['cainfo'] : '';
+$capath = isset($_GET['capath']) ? $_GET['capath'] : '';
}
else
{
@@ -82,6 +85,8 @@
$requestcompression = 0;
$responsecompression = 0;
$clientcookies = '';
+ $cainfo = '';
+ $capath = '';
}
// check input for known XMLRPC attacks against this or other libs
diff -uNr xmlrpc.orig/debugger/controller.php xmlrpc/debugger/controller.php
--- xmlrpc.orig/debugger/controller.php 2006-01-22 16:59:52.0 -0700
+++ xmlrpc/debugger/controller.php 2006-04-03 12:55:54.282028900 -0700
@@ -77,11 +77,15 @@
{
document.frmaction.verifypeer.disabled = true;
document.frmaction.verifyhost.disabled = true;
+ document.frmaction.cainfo.disabled = true;
+ document.frmaction.capath.disabled = true;
}
else
{
document.frmaction.verifypeer.disabled = false;
document.frmaction.verifyhost.disabled = false;
+ document.frmaction.cainfo.disabled = false;
+ document.frmaction.capath.disabled = false;
}
}
//-->
@@ -133,6 +137,12 @@
+
+CAInfo:
+CAPath:
+
+
+
PROXY:
Server:
Proxy user:
diff -uNr xmlrpc.orig/lib/xmlrpc.inc xmlrpc/lib/xmlrpc.inc
--- xmlrpc.orig/lib/xmlrpc.inc 2006-01-22 16:59:54.0 -0700
+++ xmlrpc/lib/xmlrpc.inc 2006-04-03 10:47:31.686286300 -0700
@@ -728,6 +728,8 @@
var $proxy_user = '';
var $proxy_pass = '';
var $cookies=array();
+ var $cainfo='';
+ var $capath='';
/**
* List of http compression methods accepted by the client for
responses.
* NB: PHP supports deflate, gzip compressions out of the box if
compiled w. zlib
@@ -899,6 +901,25 @@
{
$this->verifyhost = $i;
}
+
+ /*
+ * @param string $cafile The name of a file holding one or more
certificates to verify the peer with.
+ * @access public
+ */
+ function setCAInfo($cai)
+ {
+ $this->cainfo = $cai;
+ }
+
+ /*
+ * @param string $capath A directory that holds multiple CA
certificates.
+ * @access public
+ */
+ function setCAPath($cap)
+ {
+ $this->capath = $cap;
+ }
+
/**
* Set proxy info
@@ -1416,6 +1437,18 @@
}
// whether to verify remote host's cert
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER,
$this->verifypeer);
+
+ if($this->verifypeer)
+ {
+ if($this->cainfo)
+