How to set 'verify_peer_name=false' SSL context option via php.ini in PHP 5.6

Question

The case: I would like to open SSL connection to localhost while SSL certificate was issues for FQDN.

The problem: Without special handling in line (*

Answer 1

TL; DR

When cafile and capath are at the same time runtime configuration and SSL context options, verify_peer_name and verify_peer are only SSL context options.

So those later two can not be modified via runtime configuration directives.

---

I can understand the confusion from the documentation reproduced here under, but those two paragraphs actually refer to two different concept in PHP.

The default CA bundle may be overridden on a global basis by setting either the openssl.cafile or openssl.capath configuration setting, or on a per request basis by using the cafile or capath context options.

While not recommended in general, it is possible to disable peer certificate verification for a request by setting the verify_peer context option to FALSE, and to disable peer name validation by setting the verify_peer_name context option to FALSE.

Link to PHP manual source

First note that the documentation itself makes a clear difference between openssl.cafile and openssl.capath being on a global basis or on a per request basis versus verify_peer and verify_peer_name being for a request only.

So that basically means that, when openssl.cafile and openssl.capath can be adapted both via php.ini or via stream_context_set_option, on the other hand verify_peer and verify_peer_name are only accessible via stream_context_set_option.

This is also confirmed by PHP source code itself, here are some lines showing that PHP underlaying C language is getting the value from php_stream_context_get_option only.

must_verify_peer_name = GET_VER_OPT("verify_peer_name")
        ? zend_is_true(val)
        : sslsock->is_client;

Link to PHP github source code

For clarity, here is the declaration of the macro GET_VER_OPT

#define GET_VER_OPT(name)               (PHP_STREAM_CONTEXT(stream) && (val = php_stream_context_get_option(PHP_STREAM_CONTEXT(stream), "ssl", name)) != NULL)

Link to PHP github source code

When cafile and capath are actually first matched against php_stream_context_get_option value, but then, if those are NULL in the context, they are then fetched in the ini configuration.

GET_VER_OPT_STRING("cafile", cafile);
GET_VER_OPT_STRING("capath", capath);

if (cafile == NULL) {
    cafile = zend_ini_string("openssl.cafile", sizeof("openssl.cafile")-1, 0);
    cafile = strlen(cafile) ? cafile : NULL;
}

Link to PHP github source code

Then a little lower in the exact same function:

if (capath == NULL) {
    capath = zend_ini_string("openssl.capath", sizeof("openssl.capath")-1, 0);
    capath = strlen(capath) ? capath : NULL;
}

Link to PHP github source code

For clarity, here is the declaration of the macro GET_VER_OPT_STRING

#define GET_VER_OPT_STRING(name, str)   if (GET_VER_OPT(name)) { convert_to_string_ex(val); str = Z_STRVAL_P(val); }

Link to PHP github source code

You can also see that, when those two value openssl.capth and openssl.cafile are defined as existing ini configuration, the later verify_peer and verify_peer_name are nowhere to be found.

So sadly the only way to go, as the documentation is prompting it, is to configure it for a request via stream_context_set_option ( $stream_or_context , 'ssl' , 'verify_peer_name' , false )

---

In a long gone history: this was the default value of those two SSL context options. They changed in PHP version 5.6.0, as prompted by the documentation:

5.6.0 Added peer_fingerprint and verify_peer_name. verify_peer default changed to TRUE.

Link to PHP documentation

Which means that this kind of issue can appear after upgrading PHP from PHP < 5.6.0 so, the default value of those two options could have been kept to false by sticking to a PHP version lower than 5.6.0; but since the branches 5.*.* of PHP are now totally out of support this is not a viable option anymore.