Bug 619036

Summary: PHP not veryfying SSL certificates at all
Product: Red Hat Enterprise Linux 5 Reporter: Lubomir Rintel <lkundrak>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED NOTABUG QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: thoger
Target Milestone: rcKeywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-29 11:58:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lubomir Rintel 2010-07-28 12:19:11 UTC 
Description of problem:

[lkundrak@bombadil ~]$ php -r 'echo fread (fopen ("https://expired.demo.gnutls.org/", "r"), 666);'
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
...

PHP should not trust an expired certificate. It also happily accepts certificates with wrong signatures, self-signed ones and with invalid common names. Same behaviour on Fedora 12, Fedora 13 and RHEL 5.

Version-Release number of selected component (if applicable):

php-5.3.2-2.fc12.ppc
php-5.3.2-2.fc13.i686
php-5.1.6-27.el5

How reproducible:

Always
Comment 1 Tomas Hoger 2010-07-28 12:52:32 UTC 
(In reply to comment #0)
> PHP should not trust an expired certificate. It also happily accepts
> certificates with wrong signatures, self-signed ones and with invalid common
> names. Same behaviour on Fedora 12, Fedora 13 and RHEL 5.

Not verifying server certificates is a documented default:
  http://www.php.net/manual/en/context.ssl.php

I've made some write-up in other bug while dealing with some other php/ssl issue that should help you adjust you script to enable verification - see bug #524228, comment #4.
Comment 2 Lubomir Rintel 2010-07-29 07:57:08 UTC 
Thank you Tomas, that makes sense (your writeup, not PHP). I think this can be closed; thanks for your time.
Comment 3 Tomas Hoger 2010-07-29 11:58:49 UTC 
You're welcome.  Closing this, as I don't expect the defaults are likely to change in RHEL5 without being easily changeable via php.ini directives.