Created
July 31, 2013 17:08
-
-
Save kennwhite/6123985 to your computer and use it in GitHub Desktop.
PHP fopen for SSL by default allows MITM (peer verification off)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/* | |
OpenSSL verify certificate is off by default in php 5.3+ | |
There is no obvious php.ini option to reenable, so we're stuck w/ | |
forcing it at runtime. | |
Usage: php -f this_file.php | |
Output: | |
Default - https://www.google.com/ [Resource id #5] | |
Verify on - https://www.google.com/ [Resource id #7] | |
Default - https://www.cacert.org/ [Resource id #8] | |
Verify on - https://www.cacert.org/ [Could not negotiate] | |
(file handles close on exit) | |
Author: Kenneth White [github A T kennwhite period commercial-top-level-domain] | |
*/ | |
// Suppress non-fatal warnings (including SSL3_GET_SERVER_CERTIFICATE msgs) | |
error_reporting( E_ERROR ); | |
// Show everything | |
//error_reporting( E_ALL ); | |
$urls = array ( 'https://www.google.com/', 'https://www.cacert.org/' ); | |
foreach ($urls as $url) { | |
$stream1 = fopen( $url, 'r' ); | |
if ( $stream1 === false ) | |
echo ("Default - $url [Could not negotiate] \n"); | |
else | |
echo "Default - $url [", print_r( $stream1, true ), "]\n"; | |
$stream2 = fopen_verify( $url ); | |
if ( $stream2 === false ) | |
echo ("Verify on - $url [Could not negotiate] \n"); | |
else | |
echo "Verify on - $url [", print_r( $stream2, true ), "]\n"; | |
} | |
function fopen_verify( $url ) { | |
$context = stream_context_create( array('ssl'=>array('verify_peer'=>true)) ); | |
$incl_path = FALSE; | |
return fopen($url, 'r', $incl_path, $context); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment