php 5.6 ssl certificate verify

Question

I am trying to debug a problem with ssl certificate verification and have determined that openssl get cert locations with returning incorrect paths. (See below)

How

Answer 1

If you check the PHP source for the openssl_get_cert_locations() function, it is getting those locations by calling various OpenSSL functions such as X509_get_default_cert_file and looking at php.ini values openssl.cafile and openssl.capath described here.

What certificates/paths are you looking for exactly? If you are trying to get a CA bundle file you could set the above referenced php.ini values so they are returned by openssl_get_cert_locations.

The default php.ini file for PHP 5.6 has no default settings for those OpenSSL ini settings as they need to be defined manually. This configuration is located near the end of php.ini

[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=

; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=

When using cURL, if you want to disable cert validation, you can pass these options to curl_setopt():

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);  // shouldn't need this

CURLOPT_SSL_VERIFYPEER is described as:

FALSE to stop cURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option.

CURLOPT_SSL_VERIFYHOST is descibed as:

1 to check the existence of a common name in the SSL peer certificate. 2 to check the existence of a common name and also verify that it matches the hostname provided. In production environments the value of this option should be kept at 2 (default value).

If you have CA files, you can use the option CURLOPT_CAINFO to provide the full path to the file holding one or more certificates to verify the peer with.

To disable checking for a stream opened with fsockopen, try:

See SSL Context Options for more info and stream_socket_client().