PHP :: Request #65154 :: setup_verify implicitly adds default CA paths

setup_verify implicitly adds default CA paths

Submitted:

2013-06-27 22:20 UTC

Modified:

2024-12-30 20:57 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

bholbrook at bomgar dot com

Assigned:

bukka (profile)

Status:

Assigned

Package:

OpenSSL related

PHP Version:

5.5.0

OS:

all

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bholbrook at bomgar dot com
New email:
PHP Version:		OS:

New Comment:

[2013-06-27 22:20 UTC] bholbrook at bomgar dot com

Description:
------------
In openssl.c, the static setup_verify() function is designed to take a ZVAL array of directory and file paths, and return an X509_STORE* that contains the paths provided as trusted CA stores.

However, setup_verify() has a strange quirk, in that it requires there to always be at least one regular file and at least one directory in X509_STORE.

If the caller only specifies one or more directories and no regular files, setup_verify() will implicitly add OpenSSL's default CA file.

Conversely, if the caller only specifies one or more regular files and no directories, setup_verify() will implicitly add OpenSSL's default CA hash dir.

Why?  This behavior is both unnecessary and undesirable, but difficult to workaround.

I am calling setup_verify() with an array that contains a single directory of "trusted" CA certs for verification, but PHP is always implicitly including the default list of CA certs to the X509_STORE.  In order to prevent this from happening, I also need to specify a dummy regular file to setup_verify().  BUT, that's not all!  The dummy file cannot simply be /dev/null or some other empty file, it must actually parse as a valid PEM certificate in order for setup_verify() to consider the "file" requirement satisfied.

My expectation is that if I pass a single file or single hash_dir to this function, that is the *only* source that will be built into X509_STORE.  If _any_ valid input is provided to this function, there should be _no_ implicit behavior.

Please, rather than maintaining separate nfiles and ndirs counters, use a single "ntargets" counter that increments for both directory and valid file arguments. Then, if after parsing all array member arguments, if ntargets is still 0, feel free to add BOTH OpenSSL's default CA file and CA hash_dir, or whatever you feel is the most appropriate implicit behavior of this function.  I have patched my PHP this way and am running in production.  I can provide the simple patch if necessary.

Patches

php-openssl-setup-verify (last revision 2014-03-13 14:37 UTC by bholbrook at bomgar dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-07-03 21:58 UTC] felipe@php.net

Feel free to attach your patch to the report.

Thanks.

[2014-03-13 14:39 UTC] bholbrook at bomgar dot com

Sorry for my late response :)

Here is the patch I am using against the current master.

[2021-08-13 11:37 UTC] cmb@php.net

Related To: Bug #75494

[2021-11-04 13:45 UTC] alec at alec dot pl

So, a simple patch exists and still no action since 2014? Anyone? I guess, I could create a PR.

[2024-12-30 20:57 UTC] bukka@php.net

-Status: Open +Status: Assigned -Type: Bug +Type: Feature/Change Request -Assigned To: +Assigned To: bukka

[2024-12-30 20:57 UTC] bukka@php.net

Apology for this taking so long to pick up.

So this looks obviously done on purpose and unfortunately we cannot just change this (certainly not as a bug fix and even in stable version) as it would be a hard to catch BC break. That said I think we should at least introduce some way for user to prevent setting the default cert path / dir. The setup_verify is used by those functions:

- openssl_x509_checkpurpose
- openssl_pkcs7_verify
- openssl_cms_verify

I thought about the API and we could introduce a flag parameter for each of those functions and introduce two new constants (e.g. OPENSSL_X509_CAINFO_NO_DEFAULT_PATH / OPENSSL_X509_CAINFO_NO_DEFAULT_DIR) that could be passed in. I had some other ideas but this seems probably cleanest of all.

It also needs to be properly documented.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 15 20:01:35 2025 UTC