By default require SSL connections to be encrypted *and* authenticated

[kiesel]

If only using encryption MITM attacks are easily possible, so the framework's default should be changed.

However, this pull requests first serves as a discussion playground for this: to verify a peer certificate, one needs to have a list of trusted root CAs. If missing, no peer certificate will be accepted. The list can change over time, though, so bundling it with the framework is not a good option.

It should be best to use the list of CAs from the system, but there is probably no portable way of finding them. Maybe someone has any insights to this.

On cygwin, there's a bundle of certs here:

-> % ls /usr/ssl/certs
README.RootCerts  ca-bundle.crt  ca-bundle.trust.crt  demo  expired

On gentoo, it is here (another - probably more suitable format):

-> % ls -1l /etc/ssl/certs
total 1012
lrwxrwxrwx 1 root root     29 Jun 11 08:49 024dc131.0 -> Microsec_e-Szigno_Root_CA.pem
lrwxrwxrwx 1 root root     50 Jun 11 08:49 039c618a.0 -> TURKTRUST_Certificate_Services_Provider_Root_2.pem
...

On debian, it seems to be the same directory & format.

[thekid]

My idea

Extract (or symlink) during setup into the same directory as xp.ini, e.g.:

$ ls -1l .xp/
insgesamt 4
-rwxr-xr-x  1 friebe Domänen-Benutzer 1077   18. Dez 18:04 xp.ini
-rw-r--r--  1 friebe Domänen-Benutzer 745032  1. Mrz 2012  ca-bundle.trust.crt

...and set a XP_CONFIG_PATH environment variable or php.ini directive to contain the path to xp.ini.

This would have the benefit that users could add their local staging SSL certificates here extremely easy by simply putting the .crt here - and not having to manually call setCAFile() programmatically.

Inside the implementations, we'd use setCAPath(xp::CONFIG_PATH).

[thekid]

For Windows, http://www.yesjames.com/index.php/2011/10/yubikey-ssl-certificate-verification-in-php-for-windows/ might be a starting point:

If you’ve ever tried connecting to a remove service or server using SSL from your server side PHP script running on a Windows Server, you may very well have encountered the condition that SSL certificate of the remote server cannot be verified.
THe problem occurs when you have the CURLOPT_SSL_VERIFY_PEER curl option set to true.

The error looks like this:
error:14090086
SSL routines:SSL3_GET_SERVER_CERTIFICATE
certificate verify failed
Well, the problem has a very simple solution. CURL cannot talk directly to the Windows certificate repository, so you have to give it a file to validate the Trusted Root Certificate Authority against.

[...]

Follow these steps to export your Trusted Root Certificate Authority CA certs:
1.From the windows start menu, run the command “mmc.exe” to launch the Microsoft Management Console;
2.From the MMC, choose “File” > “Add/Remove Snap-in…” from the main menu;
3.Add the “Certificates” snap-in; When asked which certificates you want to manage, select “Computer Account” and “Local computer“;
4.from the console root, navigate to “Certificates (Local Computer)” > “Trusted Root Certification Authorities” > “Certificates“;

This can also be done by executing certmgr.msc.

5.* Select all of the certificates (CTRL+A) and select “Action” > “All tasks” > “Export…” from the MMC main menu;
6.Follow the wizard to export the certificate(s) to the Cryptographic Message Syntax Standard – PKCS#7 (,pb7 file) to a file called “TrustedRootCAs.pb7“;
7.Open a command prompt (“cmd.exe“) and navigate to the folder containing the PB7 file you just created;
8.Run openSSL.exe (you may need to add the path to this program to the Windows PATH environment variable) to convert the file to text using the following command:
c:\php\extras\openssl\openssl.exe pkcs7 -inform DER -in TrustedRootCAs.pb7 -print_certs -text > TrustedRootCAs.certs

This results in https://gist.github.com/4329481

This would need to be done by a scriptable utility though

[thekid]

Another idea might be to follow http://www.openssl.org/support/faq.html#USER16, which states:

The OpenSSL software is shipped without any root CA certificate as the OpenSSL project does not have any policy on including or excluding any specific CA and does not intend to set up such a policy. Deciding about which CAs to support is up to application developers or administrators.

Other projects do have other policies so you can for example extract the CA bundle used by Mozilla and/or modssl as described in this article:

http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html

...but instead of exec'ing cvs, use a wget to http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt (which is what Cygwin does AFAIS. Some notes also @ http://codingrelic.geekhold.com/2012/01/certdatatxt.html)

[thekid]

Testing the implementation:

# Shell Window #1
$ openssl s_server -WWW -cert server.pem

# Shell Window #2
$  xp -w 'uses("peer.http.HttpConnection"); create(new HttpConnection("https://localhost:4433/"))->get()'

The client certificate (created by openssl x509 -in server.pem -out client.crt) should be in ~/.xp.

[thekid]

Further reading: http://phpsecurity.readthedocs.org/en/latest/Transport-Layer-Security-(HTTPS-SSL-and-TLS).html

[xpbot]

Build results will soon be (or already are) available at: http://xpsrv.net:8080/job/xp-framework-pull-request-builder/2/

[kiesel]

This has become obsolete; as of PHP 5.6, PHP handles this by itself.

[thekid]

as of PHP 5.6, PHP handles this by itself.

It does for ext/openssl, but not in ext/curl nor in ext/ldap...

[kiesel]

Yap, but then still, won't be fixed in xp-framework/xp-framework ...