php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68575 Upgrade cURL to at least 7.39.0 for pinnedpubkey support
Submitted: 2014-12-09 15:08 UTC Modified: 2016-10-05 17:00 UTC
Votes:11
Avg. Score:4.9 ± 0.3
Reproduced:9 of 10 (90.0%)
Same Version:7 (77.8%)
Same OS:6 (66.7%)
From: scott at arciszewski dot me Assigned: cmb (profile)
Status: Closed Package: cURL related
PHP Version: Irrelevant OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: scott at arciszewski dot me
New email:
PHP Version: OS:

 

 [2014-12-09 15:08 UTC] scott at arciszewski dot me
Description:
------------
Curl 7.39.00 supports a --pinnedpubkey flag which allows you to pin the public key used by the connection, and abort otherwise.

http://curl.haxx.se/docs/manpage.html

Test script:
---------------
<?php
// Desired usage:

$ch = curl_init("https://example.com");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_PINNED_PUBKEY, $pem_public_key);
$result = curl_exec($ch);

if ($result !== false) {
  var_dump($result);
}


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-25 16:40 UTC] ebc82ab1 at opayq dot com
This issue is a quite old one and in the future secure encrypted communication becomes more imported. And as public key pinning is a really nice feature which can restrict the risk of rogue CAs very much it would be very nice if this feature could also be added to PHP.

As you can see it was implemented in cURL some months before this issue here was opened:
http://curl.haxx.se/mail/lib-2014-08/0224.html

[In the doc](http://curl.haxx.se/docs/manpage.html) it also shows the exact version numbers of cURL to be used with different ssl/tls libaries:
> Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for NSS and wolfSSL/CyaSSL. sha256 support added in 7.44.0 for OpenSSL, GnuTLS, NSS and wolfSSL/CyaSSL. Other SSL backends not supported. 

BTW here a Stackoverflow question about this: https://stackoverflow.com/questions/27112356/tls-public-key-pinning-with-php-curl

Regards,
rugk
 [2016-04-21 15:36 UTC] scott at arciszewski dot me
Asked in room 11, and Nikita says this should be as simple as defining the constant.
 [2016-07-03 16:56 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2016-07-03 16:56 UTC] cmb@php.net
> Asked in room 11, and Nikita says this should be as simple as
> defining the constant.

Indeed, and that has happened as of PHP 7.0.7.
 [2016-09-14 21:38 UTC] rugk at posteo dot de
So how can this be used in PHP?
When will the doc (I assume https://secure.php.net/manual/de/function.curl-setopt.php) be updated?
 [2016-09-15 09:13 UTC] cmb@php.net
-Status: Closed +Status: Re-Opened
 [2016-09-15 09:13 UTC] cmb@php.net
The option is actually called CULROPT_PINNEDPUBLICKEY, and it's
already basically documented. The docs need to be improved; see
<https://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html>.
Also the error constant CURLE_SSL_PINNEDPUBKEYNOTMATCH has to be
implemented.
 [2016-09-15 10:37 UTC] cmb@php.net
Improved the docs[1] and submitted a PR wrt. the error constant[2].

[1] <http://svn.php.net/viewvc?view=revision&revision=340038>
[2] <https://github.com/php/php-src/pull/2128>
 [2016-09-18 12:06 UTC] rugk at posteo dot de
So if it is just the constant definition, which was missing, am I right that I could manually define the constant CURLOPT_PINNEDPUBLICKEY in PHP > 7.0.7 to use it?

<?php
defined('CURLOPT_PINNEDPUBLICKEY')  || define('CURLOPT_PINNEDPUBLICKEY', 1234);

$ch = curl_init("https://example.com");
curl_setopt($ch, CURLOPT_PINNEDPUBLICKEY, "sha256//YhKJKSzoTt2b5FP18fvpHo7fJYqQCjAa3HWY3tvRMwE=;sha256//t62CeU2tQiqkexU74Gxa2eg7fRbEgoChTociMee9wno=");

// and so on...

If so can anyone please tell me what value "CURLOPT_PINNEDPUBLICKEY" actually has? In my example above I used 1234 just as a placeholder.
Also will older curl version ignore the value or do I have to check whether the installed curl version supports this constant?
 [2016-09-18 12:06 UTC] rugk at posteo dot de
Oh I meant "in PHP < 7.0.7" of course.
 [2016-09-18 12:15 UTC] rugk at posteo dot de
Currently when I do php -r 'echo CURLOPT_PINNEDPUBLICKEY;' in PHP 7.0.10 or even PHP Nightly (7.2.0-dev) I only get:
Notice: Use of undefined constant CURLOPT_PINNEDPUBLICKEY - assumed 'CURLOPT_PINNEDPUBLICKEY' in Command line code on line 1
 [2016-09-18 16:09 UTC] cmb@php.net
Yes, you can define the constant manually for older PHP versions,
if its supported by libcurl (the value is supposed to be 10230,
but that might change).

If CURLOPT_PINNEDPUBLICKEY is not available in recent PHP
versions, either cURL is not available at all, or you have libcurl
< 7.39.0.
 [2016-10-05 17:00 UTC] cmb@php.net
-Status: Re-Opened +Status: Closed
 [2016-10-05 17:00 UTC] cmb@php.net
PR #2128 has been merged, so this ticket can be closed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 09:01:26 2024 UTC