How to check "verify_peer_name = false" SSL context parameter via php.ini in PHP 5.6

Question

How to check "verify_peer_name = false" SSL context parameter via php.ini in PHP 5.6

Case: I would like to open an SSL connection with localhost , while the SSL certificate was a problem for the fully qualified domain name.

Problem: without special processing, in the line (*) below is the following program:

PHP Warning: stream_socket_enable_crypto(): Peer certificate CN='myhost.com' did not match expected CN='localhost' in test.php

PHP test program:

 $fp = stream_socket_client("tcp://localhost:993", $errno, $errstr, 30); // (*) if commented, the program fails //stream_context_set_option($fp, 'ssl', 'verify_peer_name', false); if (!$fp) { die("Unable to connect: $errstr ($errno)"); } if (!stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT)) { die("Failed to start SSL"); } fwrite($fp, "USER god\r\n"); fwrite($fp, "PASS secret\r\n"); while ($motd = fgets($fp)) { echo $motd; } fclose($fp);

Since I have a lot of legacy code, I would like to have a solution only by applying the changes to php.ini (or CLI), but unfortunately none of the below work:

php -d verify_peer_name=false test.php

php -d ssl.verify_peer_name=false test.php

Ideas?

Literature:

Failed to perform SSL operation with code 1
How do I verify that the TLS SMTP certificate is valid?
SSL and PHP streams
SSL solution for PHP 5.6
OpenSSL changes in PHP 5.6.x
SSL context options

+8

php ssl

dma_k Nov 07 '14 at 21:15

source share

1 answer

b.enoit.be · Answer 1 · 2016-05-24T00:04:22+0000

TL; DR

If cafile and capath are both a runtime configuration and SSL context parameters , verify_peer_name and verify_peer are SSL context parameters .

Thus, these later two cannot be modified using runtime configuration directives.

I can understand the confusion from the documentation reproduced here, but these two paragraphs actually refer to two different concepts in PHP.

The default CA package can be redefined globally by setting either the openssl.cafile configuration parameter or openssl.capath, or based on the request using the cafile or capath context parameters.
Although generally not recommended, you can disable peer-to-peer certificate confirmation for the request by checking the verify_peer checkbox of the FALSE context parameter and disabling peer name checking by setting the verify_peer_name parameter option to FALSE.

PHP source link

First of all, note that the documentation itself has a clear difference between openssl.cafile and openssl.capath or based on the request compared to verify_peer and verify_peer_name - only for the request .

Thus, this means that when openssl.cafile and openssl.capath can be adapted both through php.ini and stream_context_set_option , on the other hand, verify_peer and verify_peer_name are accessible only through stream_context_set_option .

This is also confirmed by the PHP source code itself, here are some lines showing that the PHP language underlaying C only gets value from php_stream_context_get_option .

 must_verify_peer_name = GET_VER_OPT("verify_peer_name") ? zend_is_true(val) : sslsock->is_client;

PHP github source code link

For clarity, here is the macro declaration GET_VER_OPT

 #define GET_VER_OPT(name) (PHP_STREAM_CONTEXT(stream) && (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", name)) != NULL)

PHP github source code link

When the cafile and capath are actually first mapped to the php_stream_context_get_option value, but then if they are NULL in context, they are then selected in the ini configuration.

 GET_VER_OPT_STRING("cafile", cafile); GET_VER_OPT_STRING("capath", capath); if (cafile == NULL) { cafile = zend_ini_string("openssl.cafile", sizeof("openssl.cafile")-1, 0); cafile = strlen(cafile) ? cafile : NULL; }

PHP github source code link

Then a little lower in the same function:

 if (capath == NULL) { capath = zend_ini_string("openssl.capath", sizeof("openssl.capath")-1, 0); capath = strlen(capath) ? capath : NULL; }

PHP github source code link

For clarity, the macro GET_VER_OPT_STRING is presented here GET_VER_OPT_STRING

 #define GET_VER_OPT_STRING(name, str) if (GET_VER_OPT(name)) { convert_to_string_ex(val); str = Z_STRVAL_P(val); }

PHP github source code link

You can also see that when these two values openssl.capth and openssl.cafile defined as the existing ini configuration, later verify_peer and verify_peer_name not found anywhere.

So sad that the only way to go, as his documentation suggests, is to configure it for the request via stream_context_set_option ( $stream_or_context , 'ssl' , 'verify_peer_name' , false )

Also note : the default value for these two SSL context parameters has changed in PHP version 5.6.0, as suggested in the documentation:

5.6.0 Added peer_fingerprint and verify_peer_name. The default value for verify_peer is changed to TRUE.

PHP documentation link

This means that such a problem can occur after updating PHP from PHP < 5.6.0 , therefore, even if I do not recommend it, since PHP 5.5 to the end is the support life cycle , the default value for these two parameters can be stored in false, sticking to PHP version below 5.6.0 .

How to check "verify_peer_name = false" SSL context parameter via php.ini in PHP 5.6

TL; DR

More articles: