Red Hat Bugzilla – Bug 619036
PHP not veryfying SSL certificates at all
Last modified: 2010-07-29 07:58:49 EDT
Description of problem:
[lkundrak@bombadil ~]$ php -r 'echo fread (fopen ("https://expired.demo.gnutls.org/", "r"), 666);'
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Index of /</title>
PHP should not trust an expired certificate. It also happily accepts certificates with wrong signatures, self-signed ones and with invalid common names. Same behaviour on Fedora 12, Fedora 13 and RHEL 5.
Version-Release number of selected component (if applicable):
(In reply to comment #0)
> PHP should not trust an expired certificate. It also happily accepts
> certificates with wrong signatures, self-signed ones and with invalid common
> names. Same behaviour on Fedora 12, Fedora 13 and RHEL 5.
Not verifying server certificates is a documented default:
I've made some write-up in other bug while dealing with some other php/ssl issue that should help you adjust you script to enable verification - see bug #524228, comment #4.
Thank you Tomas, that makes sense (your writeup, not PHP). I think this can be closed; thanks for your time.
You're welcome. Closing this, as I don't expect the defaults are likely to change in RHEL5 without being easily changeable via php.ini directives.