search

WordPress / Requests

Requests for PHP is a humble HTTP request library. It simplifies how you interact with other sites and takes away all your worries.
https://requests.ryanmccue.info/
Other
3.57k stars 499 forks source link

Support TLS Client Certificates #377

Open pbiron opened 4 years ago

pbiron commented 4 years ago

Per the suggestion in https://core.trac.wordpress.org/ticket/34883#comment:3, I'm opening this issue so that WP's wp_remote_request(), etc can more easily use client certs.

And while not mentioned in the Trac ticket, there is also need to set CURLOPT_SSLKEY.

qwqoffice commented 2 years ago

Needs 4 options:

CURLOPT_SSLCERTTYPE
CURLOPT_SSLCERT
CURLOPT_SSLKEYTYPE
CURLOPT_SSLKEY

Otherwise I can only use native cURL instead of wp_remote_request

remcotolsma commented 6 months ago

We did some research @pronamic and this can perhaps be simplified to 3 options for now:

cURL Streams WordPress Description
CURLOPT_SSLCERTTYPE Not available, PEM required. Always require PEM in the WordPress requests library?
CURLOPT_SSLCERT local_cert ssl_certificate
CURLOPT_SSLKEYTYPE Not available, PEM required. Always require PEM in the WordPress requests library?
CURLOPT_SSLKEY local_pk ssl_private_key
CURLOPT_SSLKEYPASSWD passphrase ssl_private_key_password
CURLOPT_SSLCERTPASSWD Not available. It is not common practice to protect certificate files with a password?
CURLOPT_CAINFO 'ssl' => 'cafile' sslcertificates Rename to ssl_ca_file?
CURLOPT_SSL_VERIFYPEER 'ssl' => 'verify_peer' sslverify Rename to ssl_verify_peer?

In the request arguments we could perhaps use the following naming convention:

For the cURL transport support for this can be added like this:

/**
 * Support TLS Client Certificates.
 * 
 * @link https://core.trac.wordpress.org/ticket/34883#comment:3
 * @link https://github.com/WordPress/Requests/issues/377
 */
\add_action(
    'http_api_curl',
    function ( $handle, $parsed_args, $url ) {
        if ( \array_key_exists( 'ssl_certificate', $parsed_args ) ) {
            \curl_setopt( $handle, \CURLOPT_SSLCERT, $parsed_args['ssl_certificate'] );     
        }

        if ( \array_key_exists( 'ssl_private_key', $parsed_args ) ) {
            \curl_setopt( $handle, \CURLOPT_SSLKEY, $parsed_args['ssl_private_key'] );      
        }

        if ( \array_key_exists( 'ssl_private_key_password', $parsed_args ) ) {
            \curl_setopt( $handle, \CURLOPT_SSLKEYPASSWD, $parsed_args['ssl_private_key_password'] );       
        }
    },
    10,
    3
);

It looks like there are currently no hooks available for the streams transport context:

https://github.com/WordPress/Requests/blob/31ba95ab69028213b396cb02b8eb94d721f05768/src/Transport/Fsockopen.php#L106-L172