summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorBrion Vibber <brion@status.net>2010-08-06 10:14:07 -0700
committerBrion Vibber <brion@status.net>2010-08-06 10:14:07 -0700
commitebd2fc2f7cb799cc190b2d4a77d8d0057a8854c0 (patch)
tree97e3652364c8bc0b4bfd8ac05d90575e7bea7330 /lib
parent300ed65d301d21c33a5f0a196d6acfe762a34f29 (diff)
Partial fix for ticket #2489 -- problems with SNI SSL virtual host certificate validation.
Two prongs here: * We attempt to enable SNI on the SSL stream context with the appropriate hostname... This requires PHP 5.3.2 and OpenSSL that supports the TLS extensions. Unfortunately this doesn't seem to be working in my testing. * If set $config['http']['curl'] = true, we'll use the CURL backend if available. In my testing on Ubuntu 10.04, this works. No guarantees on other systems. I'm not enabling CURL mode by default just yet; want to make sure there's no other surprises.
Diffstat (limited to 'lib')
-rw-r--r--lib/default.php3
-rw-r--r--lib/httpclient.php13
2 files changed, 15 insertions, 1 deletions
diff --git a/lib/default.php b/lib/default.php
index dcf225d1f..45a4560ff 100644
--- a/lib/default.php
+++ b/lib/default.php
@@ -315,6 +315,7 @@ $default =
'members' => true,
'peopletag' => true),
'http' => // HTTP client settings when contacting other sites
- array('ssl_cafile' => false // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt')
+ array('ssl_cafile' => false, // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt')
+ 'curl' => false, // Use CURL backend for HTTP fetches if available. (If not, PHP's socket streams will be used.)
),
);
diff --git a/lib/httpclient.php b/lib/httpclient.php
index b69f718e5..514a5afeb 100644
--- a/lib/httpclient.php
+++ b/lib/httpclient.php
@@ -145,6 +145,10 @@ class HTTPClient extends HTTP_Request2
$this->config['ssl_verify_peer'] = false;
}
+ if (common_config('http', 'curl') && extension_loaded('curl')) {
+ $this->config['adapter'] = 'HTTP_Request2_Adapter_Curl';
+ }
+
parent::__construct($url, $method, $config);
$this->setHeader('User-Agent', $this->userAgent());
}
@@ -204,6 +208,15 @@ class HTTPClient extends HTTP_Request2
protected function doRequest($url, $method, $headers)
{
$this->setUrl($url);
+
+ // Workaround for HTTP_Request2 not setting up SNI in socket contexts;
+ // This fixes cert validation for SSL virtual hosts using SNI.
+ // Requires PHP 5.3.2 or later and OpenSSL with SNI support.
+ if ($this->url->getScheme() == 'https' && defined('OPENSSL_TLSEXT_SERVER_NAME')) {
+ $this->config['ssl_SNI_enabled'] = true;
+ $this->config['ssl_SNI_server_name'] = $this->url->getHost();
+ }
+
$this->setMethod($method);
if ($headers) {
foreach ($headers as $header) {