Disable SSL peer/hostname verification for HTTPClient unless we've configured a trusted CA bundle like this: $config['http']['ssl_cafile'] = '/usr/lib/ssl/certs/ca-certificates.crt';
The previous state was failing on all HTTPS hits due to HTTP_Request2 library turning on the validation check but not specifying a CA file.
This commit is contained in:
parent
68305d4b68
commit
2c12d837c6
@ -304,4 +304,7 @@ $default =
|
|||||||
array('subscribers' => true,
|
array('subscribers' => true,
|
||||||
'members' => true,
|
'members' => true,
|
||||||
'peopletag' => true),
|
'peopletag' => true),
|
||||||
|
'http' => // HTTP client settings when contacting other sites
|
||||||
|
array('ssl_cafile' => false // To enable SSL cert validation, point to a CA bundle (eg '/usr/lib/ssl/certs/ca-certificates.crt')
|
||||||
|
),
|
||||||
);
|
);
|
||||||
|
@ -133,6 +133,18 @@ class HTTPClient extends HTTP_Request2
|
|||||||
// it gracefully in that case as well.
|
// it gracefully in that case as well.
|
||||||
$this->config['protocol_version'] = '1.0';
|
$this->config['protocol_version'] = '1.0';
|
||||||
|
|
||||||
|
// Default state of OpenSSL seems to have no trusted
|
||||||
|
// SSL certificate authorities, which breaks hostname
|
||||||
|
// verification and means we have a hard time communicating
|
||||||
|
// with other sites' HTTPS interfaces.
|
||||||
|
//
|
||||||
|
// Turn off verification unless we've configured a CA bundle.
|
||||||
|
if (common_config('http', 'ssl_cafile')) {
|
||||||
|
$this->config['ssl_cafile'] = common_config('http', 'ssl_cafile');
|
||||||
|
} else {
|
||||||
|
$this->config['ssl_verify_peer'] = false;
|
||||||
|
}
|
||||||
|
|
||||||
parent::__construct($url, $method, $config);
|
parent::__construct($url, $method, $config);
|
||||||
$this->setHeader('User-Agent', $this->userAgent());
|
$this->setHeader('User-Agent', $this->userAgent());
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user