Permalink
Browse files

Use Mozilla's CA bundle by default for SSL requests, and allow SSL co…

…nfiguration flexibility PSR-2 fixes
  • Loading branch information...
1 parent 71fac84 commit 3f005bfc983b7e6d38f00b26cbfd759b2b220b33 @claylo claylo committed with mtdowling Sep 30, 2012
Showing with 3,924 additions and 7 deletions.
  1. +51 −7 Client.php
  2. +24 −0 ClientInterface.php
  3. +3,849 −0 Resources/cacert.pem
View
@@ -70,6 +70,7 @@ public static function getAllEvents()
public function __construct($baseUrl = '', $config = null)
{
$this->setConfig($config ?: new Collection());
+ $this->setSslVerification();
$this->setBaseUrl($baseUrl);
$this->defaultHeaders = new Collection();
$this->setRequestFactory(RequestFactory::getInstance());
@@ -105,6 +106,43 @@ public function __construct($baseUrl = '', $config = null)
/**
* {@inheritdoc}
*/
+ final public function setSslVerification($certificateAuthority = true, $verifyPeer = true, $verifyHost = 2)
+ {
+ $opts = $this->config->get(self::CURL_OPTIONS) ?: array();
+
+ if ($certificateAuthority === true) {
+ // use bundled CA bundle, set secure defaults
+ $opts[CURLOPT_CAINFO] = __DIR__ . '/Resources/cacert.pem';
+ $opts[CURLOPT_SSL_VERIFYPEER] = true;
+ $opts[CURLOPT_SSL_VERIFYHOST] = 2;
+ } elseif ($certificateAuthority === false) {
+ unset($opts[CURLOPT_CAINFO]);
+ $opts[CURLOPT_SSL_VERIFYPEER] = false;
+ $opts[CURLOPT_SSL_VERIFYHOST] = 1;
+ } elseif ($verifyPeer !== true && $verifyPeer !== false && $verifyPeer !== 1 && $verifyPeer !== 0) {
+ throw new InvalidArgumentException('verifyPeer must be 1, 0 or boolean');
+ } elseif ($verifyHost !== 0 && $verifyHost !== 1 && $verifyHost !== 2) {
+ throw new InvalidArgumentException('verifyHost must be 0, 1 or 2');
+ } else {
+ $opts[CURLOPT_SSL_VERIFYPEER] = $verifyPeer;
+ $opts[CURLOPT_SSL_VERIFYHOST] = $verifyHost;
+ if (is_file($certificateAuthority)) {
+ unset($opts[CURLOPT_CAPATH]);
+ $opts[CURLOPT_CAINFO] = $certificateAuthority;
+ } elseif (is_dir($certificateAuthority)) {
+ unset($opts[CURLOPT_CAINFO]);
+ $opts[CURLOPT_CAPATH] = $certificateAuthority;
+ }
+ }
+
+ $this->config->set(self::CURL_OPTIONS, $opts);
+
+ return $this;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
public function getDefaultHeaders()
{
return $this->defaultHeaders;
@@ -315,9 +353,12 @@ public function send($requests)
if (!$multipleRequests) {
return end($requests)->getResponse();
} else {
- return array_map(function($request) {
- return $request->getResponse();
- }, $requests);
+ return array_map(
+ function ($request) {
+ return $request->getResponse();
+ },
+ $requests
+ );
}
}
@@ -377,10 +418,13 @@ protected function prepareRequest(RequestInterface $request)
// Attach client observers to the request
$request->setEventDispatcher(clone $this->getEventDispatcher());
- $this->dispatch('client.create_request', array(
- 'client' => $this,
- 'request' => $request
- ));
+ $this->dispatch(
+ 'client.create_request',
+ array(
+ 'client' => $this,
+ 'request' => $request
+ )
+ );
return $request;
}
View
@@ -37,6 +37,30 @@ public function setConfig($config);
public function getConfig($key = false);
/**
+ * Set SSL verification options.
+ *
+ * Setting $certificateAuthority to TRUE will result in the bundled
+ * cacert.pem being used to verify against the remote host.
+ *
+ * Alternate certificates to verify against can be specified with the
+ * $certificateAuthority option set to a certificate file location to be
+ * used with CURLOPT_CAINFO, or a certificate directory path to be used
+ * with the CURLOPT_CAPATH option.
+ *
+ * Setting $certificateAuthority to FALSE will turn off peer verification,
+ * unset the bundled cacert.pem, and disable host verification. Please
+ * don't do this unless you really know what you're doing, and why
+ * you're doing it.
+ *
+ * @param string|bool $certificateAuthority bool, file path, or directory path
+ * @param bool $verifyPeer FALSE to stop cURL from verifying the peer's certificate.
+ * @param int $verifyHost Set the cURL handle's CURLOPT_SSL_VERIFYHOST option
+ *
+ * @return ClientInterface
+ */
+ public function setSslVerification($certificateAuthority = true, $verifyPeer = true, $verifyHost = 2);
+
+ /**
* Get the default HTTP headers to add to each request created by the client
*
* @return Collection
Oops, something went wrong.

0 comments on commit 3f005bf

Please sign in to comment.