|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #70038 peer verification needs to be a global option
Submitted: 2015-07-10 09:23 UTC Modified: 2015-07-10 12:15 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: spam2 at rhsoft dot net Assigned:
Status: Open Package: Streams related
PHP Version: 5.6.10 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
45 + 49 = ?
Subscribe to this entry?

 [2015-07-10 09:23 UTC] spam2 at rhsoft dot net
it's nice that you can disable certificate-verification for file_get_contents stream_context_create() and pass the context as param

BUT BECAUSE EVERY function in php supports the stream-wrappers this is completly inconsistent ( and not useable in real life applications which may run as clone in testing environments

you hardly want to place stream_context_create() all over your codebase and HONESTLY if 3rd party libraries are part of the game YOU CAN NOT DO that in many cases and so you NEED a GLOBAL configuration parameter to disable the verification via per-directory, php.ini or inside the application like if($config['debug_mode']) ini_set('peer_verification', 0);

it's unbelieveable that after the 5.4 disaster changing the default charset with no global option and re-write and re-test some undret thousand LOC now ith 5.6 "default_charset" two major releases that fallout was fixed while in the same major release the major mistake was repeated with peer verification


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-10 10:09 UTC]
-Status: Open +Status: Feedback -Type: Bug +Type: Feature/Change Request
 [2015-07-10 10:09 UTC]
What part of this can't be solved with stream_context_set_default()?
 [2015-07-10 10:18 UTC] spam2 at rhsoft dot net
-Status: Feedback +Status: Open
 [2015-07-10 10:18 UTC] spam2 at rhsoft dot net
 [2015-07-10 10:22 UTC] spam2 at rhsoft dot net
stream_context_set_default() is PHP code, you have to touch every application

a PHP_INI_ALL option could be set by the sysadmin for specific vhosts or directories *without* touching application code and that is an important difference if you have 3rd party applications you are not allowed to touch
 [2015-07-10 12:09 UTC]
It seems to me that there are two not necessarily related issues:

 a) the possibility to change default stream context options
    without touching application code
 b) the ability to disable peer certificate validation for
    extensions not regading default stream context options,
    respectively to make those extension regard the default stream
    context options
I suggest to address these issues with separate tickets.
a) might already be solvable by setting auto_prepend_file[1]
appropriately. If that is not viable, a special ini setting might
be in order, but I wouldn't make it PHP_INI_ALL for security

[1] <>
 [2015-07-10 12:15 UTC] spam2 at rhsoft dot net
"auto_prepend_file" is a really dirty workaround

> but I wouldn't make it PHP_INI_ALL for security reasons

which security reasons?

if stream_context_set_default() would be respected as it should be you could change it already in the script and there is no point to not have that option for php.ini, httpd.conf and <VirtualHost> as well as <Directory>
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Oct 02 22:01:25 2023 UTC