Description of problem: [lkundrak@bombadil ~]$ php -r 'echo fread (fopen ("https://expired.demo.gnutls.org/", "r"), 666);' <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /</title> </head> <body> ... PHP should not trust an expired certificate. It also happily accepts certificates with wrong signatures, self-signed ones and with invalid common names. Same behaviour on Fedora 12, Fedora 13 and RHEL 5. Version-Release number of selected component (if applicable): php-5.3.2-2.fc12.ppc php-5.3.2-2.fc13.i686 php-5.1.6-27.el5 How reproducible: Always
(In reply to comment #0) > PHP should not trust an expired certificate. It also happily accepts > certificates with wrong signatures, self-signed ones and with invalid common > names. Same behaviour on Fedora 12, Fedora 13 and RHEL 5. Not verifying server certificates is a documented default: http://www.php.net/manual/en/context.ssl.php I've made some write-up in other bug while dealing with some other php/ssl issue that should help you adjust you script to enable verification - see bug #524228, comment #4.
Thank you Tomas, that makes sense (your writeup, not PHP). I think this can be closed; thanks for your time.
You're welcome. Closing this, as I don't expect the defaults are likely to change in RHEL5 without being easily changeable via php.ini directives.