From a8d92dad5e4b82dd5a4f0ca7ed52f37256b60cd2 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Mon, 29 Mar 2010 15:07:15 -0700 Subject: Renamed HTTPResponse class to StatusNet_HTTPResponse to avoid conflict with PECL HTTP extension. The class isn't referenced by name by any other code I can see so this should have no side effects. --- lib/httpclient.php | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'lib/httpclient.php') diff --git a/lib/httpclient.php b/lib/httpclient.php index 64a51353c..384626ae0 100644 --- a/lib/httpclient.php +++ b/lib/httpclient.php @@ -43,6 +43,9 @@ require_once 'HTTP/Request2/Response.php'; * * This extends the HTTP_Request2_Response class with methods to get info * about any followed redirects. + * + * Originally used the name 'HTTPResponse' to match earlier code, but + * this conflicts with a class in in the PECL HTTP extension. * * @category HTTP * @package StatusNet @@ -51,7 +54,7 @@ require_once 'HTTP/Request2/Response.php'; * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ -class HTTPResponse extends HTTP_Request2_Response +class StatusNet_HTTPResponse extends HTTP_Request2_Response { function __construct(HTTP_Request2_Response $response, $url, $redirects=0) { @@ -146,7 +149,7 @@ class HTTPClient extends HTTP_Request2 /** * Convenience function to run a GET request. * - * @return HTTPResponse + * @return StatusNet_HTTPResponse * @throws HTTP_Request2_Exception */ public function get($url, $headers=array()) @@ -157,7 +160,7 @@ class HTTPClient extends HTTP_Request2 /** * Convenience function to run a HEAD request. * - * @return HTTPResponse + * @return StatusNet_HTTPResponse * @throws HTTP_Request2_Exception */ public function head($url, $headers=array()) @@ -171,7 +174,7 @@ class HTTPClient extends HTTP_Request2 * @param string $url * @param array $headers optional associative array of HTTP headers * @param array $data optional associative array or blob of form data to submit - * @return HTTPResponse + * @return StatusNet_HTTPResponse * @throws HTTP_Request2_Exception */ public function post($url, $headers=array(), $data=array()) @@ -183,7 +186,7 @@ class HTTPClient extends HTTP_Request2 } /** - * @return HTTPResponse + * @return StatusNet_HTTPResponse * @throws HTTP_Request2_Exception */ protected function doRequest($url, $method, $headers) @@ -217,12 +220,12 @@ class HTTPClient extends HTTP_Request2 } /** - * Actually performs the HTTP request and returns an HTTPResponse object - * with response body and header info. + * Actually performs the HTTP request and returns a + * StatusNet_HTTPResponse object with response body and header info. * * Wraps around parent send() to add logging and redirection processing. * - * @return HTTPResponse + * @return StatusNet_HTTPResponse * @throw HTTP_Request2_Exception */ public function send() @@ -265,6 +268,6 @@ class HTTPClient extends HTTP_Request2 } break; } while ($maxRedirs); - return new HTTPResponse($response, $this->getUrl(), $redirs); + return new StatusNet_HTTPResponse($response, $this->getUrl(), $redirs); } } -- cgit v1.2.3-54-g00ecf From 2c12d837c693a816541d32dd044de5277a46336d Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Fri, 21 May 2010 10:12:39 -0700 Subject: Disable SSL peer/hostname verification for HTTPClient unless we've configured a trusted CA bundle like this: $config['http']['ssl_cafile'] = '/usr/lib/ssl/certs/ca-certificates.crt'; The previous state was failing on all HTTPS hits due to HTTP_Request2 library turning on the validation check but not specifying a CA file. --- lib/default.php | 3 +++ lib/httpclient.php | 14 +++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) (limited to 'lib/httpclient.php') diff --git a/lib/default.php b/lib/default.php index ab5f294de..950c6018d 100644 --- a/lib/default.php +++ b/lib/default.php @@ -304,4 +304,7 @@ $default = array('subscribers' => true, 'members' => true, 'peopletag' => true), + 'http' => // HTTP client settings when contacting other sites + array('ssl_cafile' => false // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt') + ), ); diff --git a/lib/httpclient.php b/lib/httpclient.php index 384626ae0..b69f718e5 100644 --- a/lib/httpclient.php +++ b/lib/httpclient.php @@ -132,7 +132,19 @@ class HTTPClient extends HTTP_Request2 // ought to be investigated to see if we can handle // it gracefully in that case as well. $this->config['protocol_version'] = '1.0'; - + + // Default state of OpenSSL seems to have no trusted + // SSL certificate authorities, which breaks hostname + // verification and means we have a hard time communicating + // with other sites' HTTPS interfaces. + // + // Turn off verification unless we've configured a CA bundle. + if (common_config('http', 'ssl_cafile')) { + $this->config['ssl_cafile'] = common_config('http', 'ssl_cafile'); + } else { + $this->config['ssl_verify_peer'] = false; + } + parent::__construct($url, $method, $config); $this->setHeader('User-Agent', $this->userAgent()); } -- cgit v1.2.3-54-g00ecf From ebd2fc2f7cb799cc190b2d4a77d8d0057a8854c0 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Fri, 6 Aug 2010 10:14:07 -0700 Subject: Partial fix for ticket #2489 -- problems with SNI SSL virtual host certificate validation. Two prongs here: * We attempt to enable SNI on the SSL stream context with the appropriate hostname... This requires PHP 5.3.2 and OpenSSL that supports the TLS extensions. Unfortunately this doesn't seem to be working in my testing. * If set $config['http']['curl'] = true, we'll use the CURL backend if available. In my testing on Ubuntu 10.04, this works. No guarantees on other systems. I'm not enabling CURL mode by default just yet; want to make sure there's no other surprises. --- lib/default.php | 3 ++- lib/httpclient.php | 13 +++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) (limited to 'lib/httpclient.php') diff --git a/lib/default.php b/lib/default.php index dcf225d1f..45a4560ff 100644 --- a/lib/default.php +++ b/lib/default.php @@ -315,6 +315,7 @@ $default = 'members' => true, 'peopletag' => true), 'http' => // HTTP client settings when contacting other sites - array('ssl_cafile' => false // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt') + array('ssl_cafile' => false, // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt') + 'curl' => false, // Use CURL backend for HTTP fetches if available. (If not, PHP's socket streams will be used.) ), ); diff --git a/lib/httpclient.php b/lib/httpclient.php index b69f718e5..514a5afeb 100644 --- a/lib/httpclient.php +++ b/lib/httpclient.php @@ -145,6 +145,10 @@ class HTTPClient extends HTTP_Request2 $this->config['ssl_verify_peer'] = false; } + if (common_config('http', 'curl') && extension_loaded('curl')) { + $this->config['adapter'] = 'HTTP_Request2_Adapter_Curl'; + } + parent::__construct($url, $method, $config); $this->setHeader('User-Agent', $this->userAgent()); } @@ -204,6 +208,15 @@ class HTTPClient extends HTTP_Request2 protected function doRequest($url, $method, $headers) { $this->setUrl($url); + + // Workaround for HTTP_Request2 not setting up SNI in socket contexts; + // This fixes cert validation for SSL virtual hosts using SNI. + // Requires PHP 5.3.2 or later and OpenSSL with SNI support. + if ($this->url->getScheme() == 'https' && defined('OPENSSL_TLSEXT_SERVER_NAME')) { + $this->config['ssl_SNI_enabled'] = true; + $this->config['ssl_SNI_server_name'] = $this->url->getHost(); + } + $this->setMethod($method); if ($headers) { foreach ($headers as $header) { -- cgit v1.2.3-54-g00ecf