Open chriskilding opened 2 years ago
It seems there are two places we could insert an alternative native TLS cert verification strategy:
The first is modifying Curl itself to build with Secure Transport (Mac) or schannel (Windows) support. If the openssl.cafile
property is then not set, when PHP calls into Curl, it should just benefit from what Curl does transparently.
The second is Guzzle-specific. Under the ['verify' => true]
API, we can substitute native TLS cert verification as an alternate implementation. It still technically fulfils what verify => true
means - verification is indeed happening - just by a different route.
Windows PHP developers who use WampServer (https://www.wampserver.com/en/) have anecdotally reported that custom TLS certs from the Windows Certificate Store are picked up by WampServer's PHP without taking extra steps.
This suggests that either:
There are references to Winsocks in PHP's standard codebase, so it's possible that Winsocks + Schannel come into play when compiled for Windows.
Tracking support for native TLS certificate verification in PHP.
PHP's codebase includes several common networking libraries in its ext/ folder (https://github.com/php/php-src/tree/master/ext). Some of these leverage the well-known C networking libraries:
curl
->libcurl
pdo_mysql
->libmysql
pdo_pgsql
->libpq
pdo_sqlsrv
-> ??ldap
-> ??imap
-> ??ftp
-> OpenSSLThis means that if you wanted to find out if all these libraries could be built with native TLS trust store backends, you could do this by building PHP from source (with the relevant flags).
Composer
Composer (the PHP package manager) is written in PHP, so it will do whatever PHP does for TLS on a given system.
Extra notes on HTTPS
PHP Curl
This appears to use either the
curl.cainfo
oropenssl.cafile
properties set in php.ini, like Guzzle does:Alternatively the properties can be set inline within PHP code:
PHP Streams
TODO
Guzzle
The request
verify
option affects TLS verification:From the docs (https://github.com/guzzle/guzzle/blob/master/docs/request-options.rst#verify):
Note 1: Guzzle used to have a
defaultCaCerts()
method which would return the path to the OpenSSL CA cert bundle on disk, because PHP <5.6 did not set this properly. This method has since been deprecated; I assume that the 'verify' option now just follows PHP defaults (as dictated by theopenssl.cafile
php.ini setting).Note 2: From https://github.com/guzzle/guzzle/issues/2134 it looks like Guzzle might use Curl underneath.
Everything else