Hi Ralph, Btw, I added custom capath ini setting for curl already. It allows you to set it and use updated cert db as provided on curl site:
http://www.php.net/manual/en/curl.configuration.php#ini.curl.cainfo Something similar could be possible for openssl. Can you open a feature request on bugs.pop.net and assign to me pls? Cheers, On Sep 25, 2012 6:56 PM, "Ralph Schindler" <ra...@ralphschindler.com> wrote: > Hey all, > > An odd problem has cropped up that I think can be solved at the PHP level. > Basically, on Ubuntu (and other distributions), using ssl stream context > with verify_peer = true could potentially fail. This is due to the fact > that OpenSSL, seemingly, only has a compile-time value for CApath (that > generally can't be changed to my knowledge), does not respond to any env. > variables and does not take any system specific paths into consideration > (with the exception of via SSL_CTX_load_verify_locations)**. > > In short, what you get is that a script like this: > > https://gist.github.com/**3776515 <https://gist.github.com/3776515> > > will fail for streams, but pass for cURL. (The reason cURL passes is they > sub in default CApaths dependent on the system you're on.) > > What I propose is the addition of php.ini settings for a default capath > that php can use when it is not supplied as an option to the ssl stream > context: > > ;openssl.capath = '/etc/ssl/cert' > > Additionally, I would suggest that if this value is not present in a > php.ini, we (like curl) stub in a path (default value) at compile time that > matches the target system as best we can. I've found a list here: > > > http://gagravarr.org/writing/**openssl-certs/others.shtml<http://gagravarr.org/writing/openssl-certs/others.shtml> > > The goal is to be able to influence the capath globally so that all > streams can take advantage of it when OpenSSL is acting goofy (which is > default on ubuntu), and when the user has not provided one via he ssl steam > context option 'capath'. > > Basically, I want openssl/php stream ssl to work as well as cURL does. > > Hopefully I've explained this clearly enough, thoughts? > > -ralph > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
