[phpxmlrpc] ssl verifyhost patch

Who Knows quien-sabe at metaorg.com
Mon Apr 3 21:32:03 BST 2006


In order for curl to verify a peer, the curl library must know where the 
trusted certificate authority certificates are.

This is usually done by either putting all the trusted certs in one file 
or a directory of them which is indexed using an openssl utility. ( at 
least this it true on most Linux implementations )

Reading one php reference it is possible to specify the CURLOP_CAINFO ( 
all trusted certificate authority certs in one file ) by setting some 
environment variable with the full path to the file containing the 
certs. I suppose this could be done by setting that in the apache conf, 
but I prefer the path method, and programatic control.

The enclosed patch adds two variables, and two functions to set the 
variables in the xmlrpc client class. The patch also hopefully correctly 
implements them where needed.

I have successfully tested these on a Linux dstribution.

Regards,
Jim

-------------- next part --------------
diff -uNr xmlrpc.orig/debugger/action.php xmlrpc/debugger/action.php
--- xmlrpc.orig/debugger/action.php	2006-01-22 16:59:52.000000000 -0700
+++ xmlrpc/debugger/action.php	2006-04-03 13:11:07.673994700 -0700
@@ -57,6 +57,17 @@
     if ($protocol == 2)
     {
       $client->setSSLVerifyPeer($verifypeer);
+	  if($verifypeer)
+	  {
+		if($cainfo)
+		{
+			$client->setCAInfo($cainfo);
+		}
+		if($capath)
+		{
+			$client->setCAPath($capath);
+		}
+	  }
       $client->setSSLVerifyHost($verifyhost);
       $httpprotocol = 'https';
     }
diff -uNr xmlrpc.orig/debugger/common.php xmlrpc/debugger/common.php
--- xmlrpc.orig/debugger/common.php	2006-01-22 16:59:52.000000000 -0700
+++ xmlrpc/debugger/common.php	2006-04-03 12:48:37.627414700 -0700
@@ -63,6 +63,9 @@
       $responsecompression = $_GET['responsecompression'];
 
     $clientcookies = isset($_GET['clientcookies']) ? $_GET['clientcookies'] : '';
+	
+    $cainfo = isset($_GET['cainfo']) ? $_GET['cainfo'] : '';
+    $capath = isset($_GET['capath']) ? $_GET['capath'] : '';
   }
   else
   {
@@ -82,6 +85,8 @@
     $requestcompression = 0;
     $responsecompression = 0;
 	$clientcookies = '';
+	$cainfo = '';
+	$capath = '';
   }
 
   // check input for known XMLRPC attacks against this or other libs
diff -uNr xmlrpc.orig/debugger/controller.php xmlrpc/debugger/controller.php
--- xmlrpc.orig/debugger/controller.php	2006-01-22 16:59:52.000000000 -0700
+++ xmlrpc/debugger/controller.php	2006-04-03 12:55:54.282028900 -0700
@@ -77,11 +77,15 @@
     {
       document.frmaction.verifypeer.disabled = true;
       document.frmaction.verifyhost.disabled = true;
+      document.frmaction.cainfo.disabled = true;
+      document.frmaction.capath.disabled = true;
     }
     else
     {
       document.frmaction.verifypeer.disabled = false;
       document.frmaction.verifyhost.disabled = false;
+      document.frmaction.cainfo.disabled = false;
+      document.frmaction.capath.disabled = false;
     }
   }
 //-->
@@ -133,6 +137,12 @@
 <td></td></td><td>
 </tr>
 <tr>
+<td class="labelcell">&nbsp;</td>
+<td class="labelcell">CAInfo:</td><td><input type="text" size="30" name="cainfo" value="<?php echo htmlspecialchars($cainfo); ?>" /></td>
+<td class="labelcell">CAPath:</td><td><input type="text" size="30" name="capath" value="<?php echo htmlspecialchars($capath); ?>" /></td>
+<td></td><td></td>
+</tr>
+<tr>
 <td class="labelcell">PROXY:</td>
 <td class="labelcell">Server:</td><td><input type="text" name="proxy" value="<?php echo htmlspecialchars($proxy); ?>" /></td>
 <td class="labelcell">Proxy user:</td><td><input type="text" name="proxyuser" value="<?php echo htmlspecialchars($proxyuser); ?>" /></td>
diff -uNr xmlrpc.orig/lib/xmlrpc.inc xmlrpc/lib/xmlrpc.inc
--- xmlrpc.orig/lib/xmlrpc.inc	2006-01-22 16:59:54.000000000 -0700
+++ xmlrpc/lib/xmlrpc.inc	2006-04-03 10:47:31.686286300 -0700
@@ -728,6 +728,8 @@
 		var $proxy_user = '';
 		var $proxy_pass = '';
 		var $cookies=array();
+		var $cainfo='';
+		var $capath='';
 		/**
 		* List of http compression methods accepted by the client for responses.
 		* NB: PHP supports deflate, gzip compressions out of the box if compiled w. zlib
@@ -899,6 +901,25 @@
 		{
 			$this->verifyhost = $i;
 		}
+		
+		/*
+		* @param string $cafile The name of a file holding one or more certificates to verify the peer with.
+		* @access public
+		*/
+		function setCAInfo($cai)
+		{
+			$this->cainfo = $cai;
+		}
+		
+		/*
+		* @param string $capath  A directory that holds multiple CA certificates.
+		* @access public
+		*/
+		function setCAPath($cap)
+		{
+			$this->capath = $cap;
+		}
+		
 
 		/**
 		* Set proxy info
@@ -1416,6 +1437,18 @@
 				}
 				// whether to verify remote host's cert
 				curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, $this->verifypeer);
+				
+				if($this->verifypeer)
+				{
+					if($this->cainfo)
+					{
+						curl_setopt($curl, CURLOPT_CAINFO, $this->cainfo);
+					}
+					if($this->capath)
+					{
+						curl_setopt($curl, CURLOPT_CAPATH, $this->capath);
+					}
+				}
 				// whether to verify cert's common name (CN); 0 for no, 1 to verify that it exists, and 2 to verify that it matches the hostname used
 				curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, $this->verifyhost);
 			}


More information about the phpxmlrpc mailing list