Bug 619036
Summary: | PHP not veryfying SSL certificates at all | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Lubomir Rintel <lkundrak> |
Component: | php | Assignee: | Joe Orton <jorton> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 5.5 | CC: | thoger |
Target Milestone: | rc | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-07-29 11:58:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lubomir Rintel
2010-07-28 12:19:11 UTC
(In reply to comment #0) > PHP should not trust an expired certificate. It also happily accepts > certificates with wrong signatures, self-signed ones and with invalid common > names. Same behaviour on Fedora 12, Fedora 13 and RHEL 5. Not verifying server certificates is a documented default: http://www.php.net/manual/en/context.ssl.php I've made some write-up in other bug while dealing with some other php/ssl issue that should help you adjust you script to enable verification - see bug #524228, comment #4. Thank you Tomas, that makes sense (your writeup, not PHP). I think this can be closed; thanks for your time. You're welcome. Closing this, as I don't expect the defaults are likely to change in RHEL5 without being easily changeable via php.ini directives. |