|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #70038 peer verification needs to be a global option
Submitted: 2015-07-10 09:23 UTC Modified: 2015-07-10 12:15 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: spam2 at rhsoft dot net Assigned:
Status: Open Package: Streams related
PHP Version: 5.6.10 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: spam2 at rhsoft dot net
New email:
PHP Version: OS:


 [2015-07-10 09:23 UTC] spam2 at rhsoft dot net
it's nice that you can disable certificate-verification for file_get_contents stream_context_create() and pass the context as param

BUT BECAUSE EVERY function in php supports the stream-wrappers this is completly inconsistent ( and not useable in real life applications which may run as clone in testing environments

you hardly want to place stream_context_create() all over your codebase and HONESTLY if 3rd party libraries are part of the game YOU CAN NOT DO that in many cases and so you NEED a GLOBAL configuration parameter to disable the verification via per-directory, php.ini or inside the application like if($config['debug_mode']) ini_set('peer_verification', 0);

it's unbelieveable that after the 5.4 disaster changing the default charset with no global option and re-write and re-test some undret thousand LOC now ith 5.6 "default_charset" two major releases that fallout was fixed while in the same major release the major mistake was repeated with peer verification


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-10 10:09 UTC]
-Status: Open +Status: Feedback -Type: Bug +Type: Feature/Change Request
 [2015-07-10 10:09 UTC]
What part of this can't be solved with stream_context_set_default()?
 [2015-07-10 10:18 UTC] spam2 at rhsoft dot net
-Status: Feedback +Status: Open
 [2015-07-10 10:18 UTC] spam2 at rhsoft dot net
 [2015-07-10 10:22 UTC] spam2 at rhsoft dot net
stream_context_set_default() is PHP code, you have to touch every application

a PHP_INI_ALL option could be set by the sysadmin for specific vhosts or directories *without* touching application code and that is an important difference if you have 3rd party applications you are not allowed to touch
 [2015-07-10 12:09 UTC]
It seems to me that there are two not necessarily related issues:

 a) the possibility to change default stream context options
    without touching application code
 b) the ability to disable peer certificate validation for
    extensions not regading default stream context options,
    respectively to make those extension regard the default stream
    context options
I suggest to address these issues with separate tickets.
a) might already be solvable by setting auto_prepend_file[1]
appropriately. If that is not viable, a special ini setting might
be in order, but I wouldn't make it PHP_INI_ALL for security

[1] <>
 [2015-07-10 12:15 UTC] spam2 at rhsoft dot net
"auto_prepend_file" is a really dirty workaround

> but I wouldn't make it PHP_INI_ALL for security reasons

which security reasons?

if stream_context_set_default() would be respected as it should be you could change it already in the script and there is no point to not have that option for php.ini, httpd.conf and <VirtualHost> as well as <Directory>
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 15 04:01:28 2024 UTC