What is the new correct way of disabling SSL verification post 6.0?

[vesper8]

Previously we were able to set

    'curl_options' => [
        CURLOPT_SSL_VERIFYHOST => 0,
        CURLOPT_SSL_VERIFYPEER => 0,
    ],

But since curl_options was removed in 6.0, what is now the current way of disabling SSL verification?

I've found that if I edit vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php and add $options['verify'] = false; to the __invoke method it will do the trick.. but I can't figure out how to set this value through the Laravel configuration.

I know this isn't a Laravel package but it's widely used in Laravel so am hoping someone can provide some insight. Is it even possible or is the only way to revert to ^5.0 ?

Thanks

[benw-pusher]

The library no longer supports the curl_options configuration, there is no way to achieve the same without reverting to v5 as you suggest. Are you encountering issues when using Channels or are you using a third-party WebSocket service?

[vesper8]

I and dozens of other people (as indicated by the dozen or so SSL-related recently opened issues that mention curl_options are having issues using https://github.com/beyondcode/laravel-websockets. Reverting to v5 does indeed resolve the issue.

I understand that this is not your problem.. it's just unfortunate that this deprecation is affecting many.

It seems like there is a solution as indicated by the manual edit of vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php, but I guess we would have to fork Guzzle in order to slip in that optional $options['verify'] = false; in there.. and I'm guessing forking Guzzle would be pretty bad practice.

[francoism90]

This is a real problem when just running and testing packages locally. I do understand the importance of signed/verified certificates, but on LAN this has little to no meaning, however sometimes you do need to test with SSL-enabled and just use a self-signed certificate.

Can you please make this configurable again? Or can this be disabled globally? Using a fork is indeed not recommend @vesper8.

[benw-pusher]

This library is designed as a library for pushing events to the Pusher Channels service. When using this service there is no need to customise the SSL certificates. This request is an enhancement. Unfortunately, updating this library to facilitate the use of a 'Pusher replacement' (laravel-websockets) is not a high priority and it is likely we won't implement this.

[ven0ms99]

Any news on this? I understand it's not your task, but so many people would benefit from it.

[francoism90]

@Hillcow Are you using a framework? It works for me on Laravel 9 with a self-signed cert.

[ven0ms99]

@francoism90 I'm on Laravel 9 as well, yes. So what's your local setup without setting CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER?

[francoism90]

@Hillcow You need to set those options, it will not work without them.

[ven0ms99]

That is precisely the entire problem of this issue here, @francoism90. Because you cannot set those options after version 5. of pusher-http-php. Check your version, you're probably running on 5. or even older.

[francoism90]

@Hillcow "pusher/pusher-php-server": "^7.0",

[ven0ms99]

@francoism90 How? Did you set client_options in broadcasting.php? CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER is definitely not supported any longer.

Did you use this solution? Was it actually merged in Laravel 9? Cannot find anything about it in the docs.

[francoism90]

@Hillcow https://github.com/soketi/soketi/issues/191#issuecomment-1028877964

Yeah, sorry.. I'm extending this.

However, I no longer need this as I'm using Soketi over localhost (internal), and HTTPS using a nginx proxy to provide the socket publicly.