php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65154 setup_verify implicitly adds default CA paths
Submitted: 2013-06-27 22:20 UTC Modified: 2013-07-03 21:58 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bholbrook at bomgar dot com Assigned:
Status: Open Package: OpenSSL related
PHP Version: 5.5.0 OS: all
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-06-27 22:20 UTC] bholbrook at bomgar dot com
Description:
------------
In openssl.c, the static setup_verify() function is designed to take a ZVAL array of directory and file paths, and return an X509_STORE* that contains the paths provided as trusted CA stores.

However, setup_verify() has a strange quirk, in that it requires there to always be at least one regular file and at least one directory in X509_STORE.

If the caller only specifies one or more directories and no regular files, setup_verify() will implicitly add OpenSSL's default CA file.

Conversely, if the caller only specifies one or more regular files and no directories, setup_verify() will implicitly add OpenSSL's default CA hash dir.

Why?  This behavior is both unnecessary and undesirable, but difficult to workaround.

I am calling setup_verify() with an array that contains a single directory of "trusted" CA certs for verification, but PHP is always implicitly including the default list of CA certs to the X509_STORE.  In order to prevent this from happening, I also need to specify a dummy regular file to setup_verify().  BUT, that's not all!  The dummy file cannot simply be /dev/null or some other empty file, it must actually parse as a valid PEM certificate in order for setup_verify() to consider the "file" requirement satisfied.

My expectation is that if I pass a single file or single hash_dir to this function, that is the *only* source that will be built into X509_STORE.  If _any_ valid input is provided to this function, there should be _no_ implicit behavior.

Please, rather than maintaining separate nfiles and ndirs counters, use a single "ntargets" counter that increments for both directory and valid file arguments. Then, if after parsing all array member arguments, if ntargets is still 0, feel free to add BOTH OpenSSL's default CA file and CA hash_dir, or whatever you feel is the most appropriate implicit behavior of this function.  I have patched my PHP this way and am running in production.  I can provide the simple patch if necessary.


Patches

php-openssl-setup-verify (last revision 2014-03-13 14:37 UTC by bholbrook at bomgar dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-03 21:58 UTC] felipe@php.net
Feel free to attach your patch to the report.

Thanks.
 [2014-03-13 14:39 UTC] bholbrook at bomgar dot com
Sorry for my late response :)

Here is the patch I am using against the current master.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Dec 18 18:01:27 2018 UTC