Bug 619036 - PHP not veryfying SSL certificates at all
Summary: PHP not veryfying SSL certificates at all
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: php (Show other bugs)
(Show other bugs)
Version: 5.5
Hardware: All Linux
low
medium
Target Milestone: rc
: ---
Assignee: Joe Orton
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-28 12:19 UTC by Lubomir Rintel
Modified: 2010-07-29 11:58 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-29 11:58:49 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Lubomir Rintel 2010-07-28 12:19:11 UTC
Description of problem:

[lkundrak@bombadil ~]$ php -r 'echo fread (fopen ("https://expired.demo.gnutls.org/", "r"), 666);'
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
...

PHP should not trust an expired certificate. It also happily accepts certificates with wrong signatures, self-signed ones and with invalid common names. Same behaviour on Fedora 12, Fedora 13 and RHEL 5.

Version-Release number of selected component (if applicable):

php-5.3.2-2.fc12.ppc
php-5.3.2-2.fc13.i686
php-5.1.6-27.el5

How reproducible:

Always

Comment 1 Tomas Hoger 2010-07-28 12:52:32 UTC
(In reply to comment #0)
> PHP should not trust an expired certificate. It also happily accepts
> certificates with wrong signatures, self-signed ones and with invalid common
> names. Same behaviour on Fedora 12, Fedora 13 and RHEL 5.

Not verifying server certificates is a documented default:
  http://www.php.net/manual/en/context.ssl.php

I've made some write-up in other bug while dealing with some other php/ssl issue that should help you adjust you script to enable verification - see bug #524228, comment #4.

Comment 2 Lubomir Rintel 2010-07-29 07:57:08 UTC
Thank you Tomas, that makes sense (your writeup, not PHP). I think this can be closed; thanks for your time.

Comment 3 Tomas Hoger 2010-07-29 11:58:49 UTC
You're welcome.  Closing this, as I don't expect the defaults are likely to change in RHEL5 without being easily changeable via php.ini directives.


Note You need to log in before you can comment on or make changes to this bug.