Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 619036 - PHP not veryfying SSL certificates at all
PHP not veryfying SSL certificates at all
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: php (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Joe Orton
BaseOS QE - Apps
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-28 08:19 EDT by Lubomir Rintel
Modified: 2010-07-29 07:58 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-29 07:58:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lubomir Rintel 2010-07-28 08:19:11 EDT
Description of problem:

[lkundrak@bombadil ~]$ php -r 'echo fread (fopen ("https://expired.demo.gnutls.org/", "r"), 666);'
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
...

PHP should not trust an expired certificate. It also happily accepts certificates with wrong signatures, self-signed ones and with invalid common names. Same behaviour on Fedora 12, Fedora 13 and RHEL 5.

Version-Release number of selected component (if applicable):

php-5.3.2-2.fc12.ppc
php-5.3.2-2.fc13.i686
php-5.1.6-27.el5

How reproducible:

Always
Comment 1 Tomas Hoger 2010-07-28 08:52:32 EDT
(In reply to comment #0)
> PHP should not trust an expired certificate. It also happily accepts
> certificates with wrong signatures, self-signed ones and with invalid common
> names. Same behaviour on Fedora 12, Fedora 13 and RHEL 5.

Not verifying server certificates is a documented default:
  http://www.php.net/manual/en/context.ssl.php

I've made some write-up in other bug while dealing with some other php/ssl issue that should help you adjust you script to enable verification - see bug #524228, comment #4.
Comment 2 Lubomir Rintel 2010-07-29 03:57:08 EDT
Thank you Tomas, that makes sense (your writeup, not PHP). I think this can be closed; thanks for your time.
Comment 3 Tomas Hoger 2010-07-29 07:58:49 EDT
You're welcome.  Closing this, as I don't expect the defaults are likely to change in RHEL5 without being easily changeable via php.ini directives.

Note You need to log in before you can comment on or make changes to this bug.