PHP (in common with python until recently) has had a long-standing security problem in that all of its functions that use SSL/TLS do not perform certificate verification, so as long as a site presents some kind of valid certificate, it will be allowed, even if it is not signed by a known CA, or does not match the domain. This of course means it's vulnerable to man-in-the-middle attacks.
PHP 5.6 solves this problem by the implementation of this PHP RFC. A big part of that is the new php.ini property openssl.capath
that points to the CA certificate folder that's part of OpenSSL on the host platform, and can used by PHP's SSL stream context as the capath
property (docs). A second RFC adds a function openssl_get_cert_locations()
to make this even easier.
That's great for PHP 5.6, but finding the CA cert path is is not an easy problem to solve for earlier versions, and that means for everyone since 5.6 is not released yet.
On most Linux distros this path is /etc/ssl/certs
, but that's not a reliable assumption for portable code that runs on Windows, BSD, OS X etc. OS X is particularly troublesome for this because OpenSSL on OS X does not store CA certs in the file system but in the system keychain.
This is of course easy to solve for any specific platform since you can just set whatever is appropriate on your server, but in this case it's for some very popular library code that's used all over the place.
Can anyone suggest a reliable cross-platform way of finding the CA cert path?