]> git.mxchange.org Git - quix0rs-gnu-social.git/commitdiff
Disable SSL peer/hostname verification for HTTPClient unless we've configured a trust...
authorBrion Vibber <brion@pobox.com>
Fri, 21 May 2010 17:12:39 +0000 (10:12 -0700)
committerBrion Vibber <brion@pobox.com>
Fri, 21 May 2010 17:12:39 +0000 (10:12 -0700)
The previous state was failing on all HTTPS hits due to HTTP_Request2 library turning on the validation check but not specifying a CA file.

lib/default.php
lib/httpclient.php

index ab5f294ded5946e9cc45cd21a62587da61b1add0..950c6018d8f167095e7b9d30a9eeb9a63e823c17 100644 (file)
@@ -304,4 +304,7 @@ $default =
         array('subscribers' => true,
               'members' => true,
               'peopletag' => true),
+        'http' => // HTTP client settings when contacting other sites
+        array('ssl_cafile' => false // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt')
+              ),
         );
index 384626ae06348de59dffc70af3a1a82338ed91e4..b69f718e5f01c3b6e0f2d90f5876b5ecadab95c3 100644 (file)
@@ -132,7 +132,19 @@ class HTTPClient extends HTTP_Request2
         // ought to be investigated to see if we can handle
         // it gracefully in that case as well.
         $this->config['protocol_version'] = '1.0';
-        
+
+        // Default state of OpenSSL seems to have no trusted
+        // SSL certificate authorities, which breaks hostname
+        // verification and means we have a hard time communicating
+        // with other sites' HTTPS interfaces.
+        //
+        // Turn off verification unless we've configured a CA bundle.
+        if (common_config('http', 'ssl_cafile')) {
+            $this->config['ssl_cafile'] = common_config('http', 'ssl_cafile');
+        } else {
+            $this->config['ssl_verify_peer'] = false;
+        }
+
         parent::__construct($url, $method, $config);
         $this->setHeader('User-Agent', $this->userAgent());
     }