Ayesh
commented
4 months ago Unlike Macos and Linux, Windows doesn't have a single file root CA file. That's why the ini values are empty in the first place.
We recently upped the minimum required Libcurl version to 7.61.0. There is support to use native Windows CA store in Libcurl 7.71 (https://curl.se/libcurl/c/CURLOPT_SSL_OPTIONS.html). It will need some work in the Curl extension, but I think this is the way to go. Probably easier to implement now with a not-so-distant minimum required version.
One alternative, bundling our own root CA list, is a big no-no in my opinion.
Description
In PHP's current implementation, there is an inconsistency in how the language handles SSL/TLS certificate validation across different operating systems. This inconsistency primarily affects Windows users.
In this proof-of-concept, we can see the behavior clearly:
On Windows, the script does two requests:
Request correctly failed without CA certificate (expected on Windows)Request succeeded with provided CA certificateOn Linux and Mac, it uses the O.S CA file, which prints
Request succeeded without CA certificate (expected on Linux and macOS)On Linux, it uses by default:
On Mac, it uses:
On Windows, both are blank:
Which means that PHP doesn't have a fallback Certificate Authority file to validate HTTPS requests, which leads to issues such as these. The common solution for this problem for Windows users is to download a trusted CA file (such as from Mozilla), and update php.ini to use it:
openssl.cafileto the downloaded fileThis is a sub-optimal solution as it increases complexity for the average John Doe that just wants to do a network request against a HTTPS URL.
I think PHP in Windows could fallback to accessing the Windows Certificate Store, or bundle a trusted CA file, although this might get outdated.