php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62050 Default CA certificates are not loaded
Submitted: 2012-05-16 21:29 UTC Modified: 2014-02-26 04:14 UTC
Votes:13
Avg. Score:4.5 ± 0.7
Reproduced:9 of 9 (100.0%)
Same Version:4 (44.4%)
Same OS:6 (66.7%)
From: glenn at zewt dot org Assigned: rdlowrey (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.4.3 OS: Linux
Private report: No CVE-ID: None
 [2012-05-16 21:29 UTC] glenn at zewt dot org
Description:
------------
OpenSSL CA default certificates are not loaded.  To make HTTPS certificate 
verification work, I have to hardcode the path to where CA certs are on the 
local system, eg:

$req = new HTTP_Request2('https://url', HTTP_Request2::METHOD_GET,
    array ("ssl_capath" => "/usr/lib/ssl/certs"));

This isn't portable, and it's very unobvious; it seems that some people "work 
around" this by disabling certificate verification, which is bad.  I don't know 
if some distros patch around this problem, or if there's something else going on 
for this not to happen to everybody; I'm hitting it on Debian testing and with 
OpenSSL 1.0.1c.

In php_SSL_new_from_context, if cafile and capath are both NULL, it looks like 
you only need to call SSL_CTX_set_default_verify_paths instead of 
SSL_CTX_load_verify_locations.  Don't call it if either are specified, so people 
don't end up with certificates loaded when they explicitly want to load only 
specific ones.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-20 00:09 UTC] rdlowrey@php.net
Default cert locations are now loaded in the absence of a stream context specification or ini directive (openssl.cafile/openssl.capath) as of PHP 5.6.

As this is more a feature request than an actual bug I'm closing the report. If the lack of this functionality creates a serious problem for people in 5.4 and 5.5 I can look at possibly backporting the feature once 5.6 is officially released.

Alternatively, you can try to hassle me on this bug report :)
 [2014-02-20 00:10 UTC] rdlowrey@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: rdlowrey
 [2014-02-20 01:28 UTC] glenn at zewt dot org
Ignoring bug reports for a year and a half--especially detailed, security-related reports that suggest a specific fix--is an effective way to discourage people from reporting bugs.  Calling an issue like this a "feature request" doesn't help, either.
 [2014-02-20 01:37 UTC] rdlowrey@php.net
I've been contributing to PHP-src for about six weeks at this point. Let me apologize that this wasn't fixed sooner. I only have 24 hours in the day and I've been spending a disproportionate number of them working on the backlog of OpenSSL functionality. No one pays me to work on PHP. If at any point you feel the progress isn't up to your standards feel free to do what I did: start solving the problems and PRing fixes instead of complaining about them. Otherwise take the self-righteousness on down the road.
 [2014-02-25 07:44 UTC] krakjoe@php.net
Glenn, that was quite rude. You do understand that PHP is driven by volunteers, finding time in their day to try to improve PHP, in between at least one of university, 50-60 hour weeks, and a family. Nobody actually owes you the time it takes to solve your problems, if you report a bug and get no response it's because there is no good response to be had. It's not like the openssl department of the PHP enterprise (which _obviously_ doesn't exist) ignored your report.

You should find it encouraging, even though your report was open for more than a year someone did find the time to try to address it, that's a positive thing ...

tl;dr be positive ...

Daniel, don't sweat it, keep up the good work ;)
 [2014-02-26 04:14 UTC] glenn at zewt dot org
No, it wasn't.  Fifteen years of open source work tells me that "we're doing this for free" is a poor answer to asking users to contribute bug reports (a time-consuming thing to do) and then not acknowledging that anyone has even read it for a year and a half.  If you don't have time to answer bug reports, then don't ask for them.

(This has nothing to do with "rdlowrey"; bug tracker responsiveness is a project issue.)
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Mar 07 03:01:23 2021 UTC