From 2c12d837c693a816541d32dd044de5277a46336d Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Fri, 21 May 2010 10:12:39 -0700 Subject: Disable SSL peer/hostname verification for HTTPClient unless we've configured a trusted CA bundle like this: $config['http']['ssl_cafile'] = '/usr/lib/ssl/certs/ca-certificates.crt'; The previous state was failing on all HTTPS hits due to HTTP_Request2 library turning on the validation check but not specifying a CA file. --- lib/default.php | 3 +++ lib/httpclient.php | 14 +++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/lib/default.php b/lib/default.php index ab5f294de..950c6018d 100644 --- a/lib/default.php +++ b/lib/default.php @@ -304,4 +304,7 @@ $default = array('subscribers' => true, 'members' => true, 'peopletag' => true), + 'http' => // HTTP client settings when contacting other sites + array('ssl_cafile' => false // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt') + ), ); diff --git a/lib/httpclient.php b/lib/httpclient.php index 384626ae0..b69f718e5 100644 --- a/lib/httpclient.php +++ b/lib/httpclient.php @@ -132,7 +132,19 @@ class HTTPClient extends HTTP_Request2 // ought to be investigated to see if we can handle // it gracefully in that case as well. $this->config['protocol_version'] = '1.0'; - + + // Default state of OpenSSL seems to have no trusted + // SSL certificate authorities, which breaks hostname + // verification and means we have a hard time communicating + // with other sites' HTTPS interfaces. + // + // Turn off verification unless we've configured a CA bundle. + if (common_config('http', 'ssl_cafile')) { + $this->config['ssl_cafile'] = common_config('http', 'ssl_cafile'); + } else { + $this->config['ssl_verify_peer'] = false; + } + parent::__construct($url, $method, $config); $this->setHeader('User-Agent', $this->userAgent()); } -- cgit v1.2.3