1

I want to know if it is possible to turn off SSL verification in PHP 7.2 in a configuration file let's say for example in php.ini instead of turning off SSL verification by using some code to turn it off.

I've seen many examples on the internet and stackoverflow where people suggest that you do:

$arrContextOptions=array(
    "ssl"=>array(
    "verify_peer"=>false,
    "verify_peer_name"=>false,
 ),
);

The reason I would like to turn if off is because I am on a network where SSL inspection is being done and my application I'm testing needs to load some images over HTTPS. I've tried pointing PHP to the CA cert of the organization where I'm busy doing the work. They use a CA cert that they created themselves which won't be included in any certificate bundles. Thus the current certificates that they gave me that were signed by that C.A is considered invalid by any good browser and even considered by OpenSSL.

I tried several things including pointing PHP to the locations or files mentioned here in the output of:

php -r "print_r(openssl_get_cert_locations());"```

Array
(
   [default_cert_file] => /var/lib/ca-certificates/ca-bundle.pem
   [default_cert_file_env] => SSL_CERT_FILE
   [default_cert_dir] => /var/lib/ca-certificates/openssl
   [default_cert_dir_env] => SSL_CERT_DIR
   [default_private_dir] => /etc/ssl/private
   [default_default_cert_area] => /etc/ssl
   [ini_cafile] =>
   [ini_capath] =>
)

I'm either not pointing PHP to the right CA cert or the errors I'm getting simply aren't verbose enough.

The call that fetches the images over HTTPS is to get_file_contents and the error I keep getting is:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
verify failed
OpenBSDNinja
  • 1,037
  • 10
  • 18
  • Save a backup from `/var/lib/ca-certificates/ca-bundle.pem` then download the last ca-bundle file from [https://curl.haxx.se/docs/caextract.html](https://curl.haxx.se/docs/caextract.html) and save it as `/var/lib/ca-certificates/ca-bundle.pem` then restart Apache and see if it works, then it was just a ca file problem. – Accountant م Sep 12 '19 at 14:20
  • Instead, do it dynamically . set the path of the new ca file in the `cafile` key of `$arrContextOptions` array – Accountant م Sep 12 '19 at 14:24
  • 1
    Check [this question](https://stackoverflow.com/questions/26148701/file-get-contents-ssl-operation-failed-with-code-1-failed-to-enable-crypto) too. – Accountant م Sep 12 '19 at 14:26
  • I edit my question to add some context. The C.A used by the organization isn't a valid CA. It is a C.A that they created themselves so it won't be included in any C.A bundles. They also don't install the C.A that they use on Linux vm's that they deploy. Thanks for all the answers :) – OpenBSDNinja Sep 12 '19 at 14:29
  • I would like to do this without a code change. I've also tried the suggestion in the link you posted where the guy points the to the C.A cert with: ```openssl.cafile=/usr/local/etc/openssl/location-to-some-ca-cert.pem``` – OpenBSDNinja Sep 12 '19 at 14:31
  • There is an option in [ssl context](https://www.php.net/manual/en/context.ssl.php) called "allow_self_signed" , I think this is what you want to allow self-signed certs. – Accountant م Sep 12 '19 at 14:34
  • Thanks I had a look at that too, but that still requires a code change. I sadly don't have control over the code and I'm not allowed to add any code, but I am allowed to change configuration values. – OpenBSDNinja Sep 12 '19 at 14:37
  • 1
    "I want to know if it is possible to turn off SSL verification" Whatever you need to do, **DO NOT TURN OFF CERTIFICATION VERIFICATION** If you do that you nullify almost all usefulness of TLS, and you might as well go back to plain unencrypted HTTP traffic. "They use a CA cert that they created themselves which won't be included in any certificate bundles." Then either install it or configure your application to specifically allow this CA certificate (in addition of all others). Do not turn everything off just for that... – Patrick Mevzek Sep 12 '19 at 14:48
  • @PatrickMevzek Your comment should be the accepted answer. I fully agree with you. – Dharman Sep 12 '19 at 14:59
  • I am all for security and I have a background of pentesting so I don't need to be preached to about security. Even though this is a really stupid thing I want to do, I still want to know how to do it. – OpenBSDNinja Sep 13 '19 at 06:40

0 Answers0