php 5.6 ssl certificate verify

Question

I am trying to debug a problem with ssl certificate verification and have determined that openssl get cert locations with returning incorrect paths. (See below)

How do I figure out how to set this? I looked in the php.ini file and couldn't find this reference anywhere.

cmuench-air:bin cmuench$ ./php -r "print_r(openssl_get_cert_locations());"
Array
(
    [default_cert_file] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/cert.pem
    [default_cert_file_env] => SSL_CERT_FILE
    [default_cert_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/certs
    [default_cert_dir_env] => SSL_CERT_DIR
    [default_private_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/private
    [default_default_cert_area] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl
    [ini_cafile] => 
    [ini_capath] => 
)

php.ini (relevant parts)...I don't see bitnami/mampstack56Dev anywhere...

[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=

; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=

;Curl ca bundle certificate
curl.cainfo="/Applications/phppos/common/openssl/certs/curl-ca-bundle.crt"

EDIT:

I know this is dumb but there are times where the ssl certificate will be self signed. Is there an ini setting I can modify to disable checking all certificates? or do I have to do this in code for sockets and curl?

Answer 1

If you check the PHP source for the openssl_get_cert_locations() function, it is getting those locations by calling various OpenSSL functions such as X509_get_default_cert_file and looking at php.ini values openssl.cafile and openssl.capath described here.

What certificates/paths are you looking for exactly? If you are trying to get a CA bundle file you could set the above referenced php.ini values so they are returned by openssl_get_cert_locations.

The default php.ini file for PHP 5.6 has no default settings for those OpenSSL ini settings as they need to be defined manually. This configuration is located near the end of php.ini

[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=

; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=

When using cURL, you can use the option CURLOPT_CAINFO to provide the full path to the file holding one or more certificates to verify the peer with by using curl_setopt():

curl_setopt($ch, CURLOPT_CAINFO, "/path/to/ca/bundle");

This can also be set in php.ini:

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
;curl.cainfo =