Geek Answers Handbook

Check php 5.6 ssl certificate

I am trying to debug an issue with ssl certificate validation and determined that openssl is receiving certificate addresses with invalid path returns. (See below)

How do I understand how to install this? I looked at the php.ini file and did not find this link anywhere.

cmuench-air:bin cmuench$ ./php -r "print_r(openssl_get_cert_locations());" Array ( [default_cert_file] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/cert.pem [default_cert_file_env] => SSL_CERT_FILE [default_cert_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/certs [default_cert_dir_env] => SSL_CERT_DIR [default_private_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/private [default_default_cert_area] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl [ini_cafile] => [ini_capath] => )

php.ini (corresponding parts) ... I do not see bytes / mampstack 56Dev anywhere ...

 [openssl] ; The location of a Certificate Authority (CA) file on the local filesystem ; to use when verifying the identity of SSL/TLS peers. Most users should ; not specify a value for this directive as PHP will attempt to use the ; OS-managed cert stores in its absence. If specified, this value may still ; be overridden on a per-stream basis via the "cafile" SSL stream context ; option. ;openssl.cafile= ; If openssl.cafile is not specified or if the CA file is not found, the ; directory pointed to by openssl.capath is searched for a suitable ; certificate. This value must be a correctly hashed certificate directory. ; Most users should not specify a value for this directive as PHP will ; attempt to use the OS-managed cert stores in its absence. If specified, ; this value may still be overridden on a per-stream basis via the "capath" ; SSL stream context option. ;openssl.capath= ;Curl ca bundle certificate curl.cainfo="/Applications/phppos/common/openssl/certs/curl-ca-bundle.crt"

EDIT:

I know this is stupid, but there are times when the ssl certificate itself will be signed. Is there an ini parameter that I can change to disable verification of all certificates? or should I do this in code for sockets and curls?

+6
source share
1 answer

If you check the PHP source for the openssl_get_cert_locations() function, it gets these places by calling various OpenSSL functions such as X509_get_default_cert_file and look at the php.ini values โ€‹โ€‹of openssl.cafile and openssl.capath described here .

What certificates / paths are you looking for exactly? If you are trying to get the CA package file, you can set the above php.ini values โ€‹โ€‹so that they are returned by openssl_get_cert_locations .

The default php.ini for PHP 5.6 does not have default parameters for these OpenSSL ini parameters, because they must be manually defined. This configuration is located near the end of php.ini

 [openssl] ; The location of a Certificate Authority (CA) file on the local filesystem ; to use when verifying the identity of SSL/TLS peers. Most users should ; not specify a value for this directive as PHP will attempt to use the ; OS-managed cert stores in its absence. If specified, this value may still ; be overridden on a per-stream basis via the "cafile" SSL stream context ; option. ;openssl.cafile= ; If openssl.cafile is not specified or if the CA file is not found, the ; directory pointed to by openssl.capath is searched for a suitable ; certificate. This value must be a correctly hashed certificate directory. ; Most users should not specify a value for this directive as PHP will ; attempt to use the OS-managed cert stores in its absence. If specified, ; this value may still be overridden on a per-stream basis via the "capath" ; SSL stream context option. ;openssl.capath=

When using cURL, if you want to disable certificate verification, you can pass these parameters to curl_setopt() :

 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // shouldn't need this

CURLOPT_SSL_VERIFYPEER described as:

FALSE to stop cURL from checking the peer certificate. alternate certificates for verification can be specified using the CURLOPT_CAINFO parameter or the certificate directory can be specified using the CURLOPT_CAPATH parameter.

CURLOPT_SSL_VERIFYHOST described as:

1 to check for a common name in the SSL certificate. 2 to check for a common name, and to make sure that it matches the provided host name. In production environments, the value of this option should be stored in 2 (default value).

If you have CA files, you can use the CURLOPT_CAINFO option to provide the full path to a file containing one or more certificates to verify your partner with.

To disable checking for a stream opened with fsockopen , try:

 <?php $context = stream_context_create(); $result = stream_context_set_option($context, 'ssl', 'verify_peer', false); $socket = stream_socket_client('ssl://'.$host . ':443', $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);

See the SSL Context Parameters and stream_socket_client() more details.

+8
source

More articles:


All Articles