|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65154 setup_verify implicitly adds default CA paths
Submitted: 2013-06-27 22:20 UTC Modified: 2013-07-03 21:58 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bholbrook at bomgar dot com Assigned:
Status: Open Package: OpenSSL related
PHP Version: 5.5.0 OS: all
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: bholbrook at bomgar dot com
New email:
PHP Version: OS:


 [2013-06-27 22:20 UTC] bholbrook at bomgar dot com
In openssl.c, the static setup_verify() function is designed to take a ZVAL array of directory and file paths, and return an X509_STORE* that contains the paths provided as trusted CA stores.

However, setup_verify() has a strange quirk, in that it requires there to always be at least one regular file and at least one directory in X509_STORE.

If the caller only specifies one or more directories and no regular files, setup_verify() will implicitly add OpenSSL's default CA file.

Conversely, if the caller only specifies one or more regular files and no directories, setup_verify() will implicitly add OpenSSL's default CA hash dir.

Why?  This behavior is both unnecessary and undesirable, but difficult to workaround.

I am calling setup_verify() with an array that contains a single directory of "trusted" CA certs for verification, but PHP is always implicitly including the default list of CA certs to the X509_STORE.  In order to prevent this from happening, I also need to specify a dummy regular file to setup_verify().  BUT, that's not all!  The dummy file cannot simply be /dev/null or some other empty file, it must actually parse as a valid PEM certificate in order for setup_verify() to consider the "file" requirement satisfied.

My expectation is that if I pass a single file or single hash_dir to this function, that is the *only* source that will be built into X509_STORE.  If _any_ valid input is provided to this function, there should be _no_ implicit behavior.

Please, rather than maintaining separate nfiles and ndirs counters, use a single "ntargets" counter that increments for both directory and valid file arguments. Then, if after parsing all array member arguments, if ntargets is still 0, feel free to add BOTH OpenSSL's default CA file and CA hash_dir, or whatever you feel is the most appropriate implicit behavior of this function.  I have patched my PHP this way and am running in production.  I can provide the simple patch if necessary.


php-openssl-setup-verify (last revision 2014-03-13 14:37 UTC by bholbrook at bomgar dot com)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-03 21:58 UTC]
Feel free to attach your patch to the report.

 [2014-03-13 14:39 UTC] bholbrook at bomgar dot com
Sorry for my late response :)

Here is the patch I am using against the current master.
 [2021-11-04 13:45 UTC] alec at alec dot pl
So, a simple patch exists and still no action since 2014? Anyone? I guess, I could create a PR.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Apr 23 22:01:31 2024 UTC