]> git.mxchange.org Git - quix0rs-gnu-social.git/commitdiff
projects / quix0rs-gnu-social.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 300ed65)
Partial fix for ticket #2489 -- problems with SNI SSL virtual host certificate valida...
authorBrion Vibber <brion@status.net>
Fri, 6 Aug 2010 17:14:07 +0000 (10:14 -0700)
committerBrion Vibber <brion@status.net>
Fri, 6 Aug 2010 17:14:07 +0000 (10:14 -0700)
Two prongs here:
* We attempt to enable SNI on the SSL stream context with the appropriate hostname... This requires PHP 5.3.2 and OpenSSL that supports the TLS extensions. Unfortunately this doesn't seem to be working in my testing.
* If set $config['http']['curl'] = true, we'll use the CURL backend if available. In my testing on Ubuntu 10.04, this works. No guarantees on other systems.

I'm not enabling CURL mode by default just yet; want to make sure there's no other surprises.

lib/default.php patch | blob | history
lib/httpclient.php patch | blob | history

diff --git a/lib/default.php b/lib/default.php
index dcf225d1fa0b3728e4437774f9c78552c3c9ce79..45a4560ff36100ccda3890267d51615ac1a3a9cd 100644 (file)
--- a/lib/default.php
+++ b/lib/default.php
@@ -315,6 +315,7 @@ $default =
               'members' => true,
               'peopletag' => true),
         'http' => // HTTP client settings when contacting other sites
-        array('ssl_cafile' => false // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt')
+        array('ssl_cafile' => false, // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt')
+              'curl' => false, // Use CURL backend for HTTP fetches if available. (If not, PHP's socket streams will be used.)
               ),
         );
diff --git a/lib/httpclient.php b/lib/httpclient.php
index b69f718e5f01c3b6e0f2d90f5876b5ecadab95c3..514a5afeb2a91810544252aec7dc0e03b7f4d88d 100644 (file)
--- a/lib/httpclient.php
+++ b/lib/httpclient.php
@@ -145,6 +145,10 @@ class HTTPClient extends HTTP_Request2
             $this->config['ssl_verify_peer'] = false;
         }
 
+        if (common_config('http', 'curl') && extension_loaded('curl')) {
+            $this->config['adapter'] = 'HTTP_Request2_Adapter_Curl';
+        }
+
         parent::__construct($url, $method, $config);
         $this->setHeader('User-Agent', $this->userAgent());
     }
@@ -204,6 +208,15 @@ class HTTPClient extends HTTP_Request2
     protected function doRequest($url, $method, $headers)
     {
         $this->setUrl($url);
+
+        // Workaround for HTTP_Request2 not setting up SNI in socket contexts;
+        // This fixes cert validation for SSL virtual hosts using SNI.
+        // Requires PHP 5.3.2 or later and OpenSSL with SNI support.
+        if ($this->url->getScheme() == 'https' && defined('OPENSSL_TLSEXT_SERVER_NAME')) {
+            $this->config['ssl_SNI_enabled'] = true;
+            $this->config['ssl_SNI_server_name'] = $this->url->getHost();
+        }
+
         $this->setMethod($method);
         if ($headers) {
             foreach ($headers as $header) {
This is my personal clone from the wonderful software GNUSocial. I may fix or break things here, so use it on your own risk. :-)