Page MenuHomeIn-Portal Phabricator

INP-1866 - Verify SSL certificate on cURL connections
ClosedPublic

Authored by alex on Jun 14 2024, 6:16 AM.

Details

Test Plan
  • create /google_com.pem file with the following content (contents of the file obtained via openssl s_client -connect www.google.com:443 -showcerts command):
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
  • in the /index.php file add this code after $application->Init(); line:
/** @var kCurlHelper $curl_helper */
$curl_helper = $application->recallObject('CurlHelper');

$output = $curl_helper->Send('https://wrong.host.badssl.com/');
echo 'Test 1 (default behavior; wrong cert failure): ' . ($output === false && $curl_helper->lastErrorCode !== 0 ? 'Passed' : 'Failed') . '<br/>';

$output = $curl_helper->Send('https://www.google.com/');
echo 'Test 2 (default behavior; correct cert success): ' . ($output !== false && $curl_helper->lastErrorCode === 0 ? 'Passed' : 'Failed') . '<br/>';

$curl_helper->disableSslCertificateVerification();
$output = $curl_helper->Send('https://wrong.host.badssl.com/');
echo 'Test 3 (wrong cert success): ' . ($output !== false && $curl_helper->lastErrorCode === 0 ? 'Passed' : 'Failed') . '<br/>';

$curl_helper->enableSslCertificateVerification(__DIR__ . '/google_com.pem');
$output = $curl_helper->Send('https://www.google.com/');
echo 'Test 4 (correct custom cert success): ' . ($output !== false && $curl_helper->lastErrorCode === 0 ? 'Passed' : 'Failed') . '<br/>';

$curl_helper->enableSslCertificateVerification(__DIR__ . '/google_com.pem');
$output = $curl_helper->Send('https://www.etsy.com/');
echo 'Test 5 (correct custom cert failure): ' . ($output === false && $curl_helper->lastErrorCode !== 0 ? 'Passed' : 'Failed') . '<br/>';
  • in the /index.php file comment-out the $application->Run(); and $application->Done(); line
  • run the /index.php file in the Web Browser
  • confirm, that output contains:
Test 1 (default behavior; wrong cert failure): Passed
Test 2 (default behavior; correct cert success): Passed
Test 3 (wrong cert success): Passed
Test 4 (correct custom cert success): Passed
Test 5 (correct custom cert failure): Passed

Diff Detail

Repository
rINP In-Portal
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

alex created this revision.Jun 14 2024, 6:16 AM
alex requested review of this revision.Jun 14 2024, 6:16 AM
alex edited the test plan for this revision. (Show Details)Jun 14 2024, 6:26 AM
erik requested changes to this revision.Jun 17 2024, 7:10 AM

Last line from test result is: "Test 5 (correct custom cert failure): Failed"
Not match with defined in test plan "Test 5 (correct custom cert failure): Passed"

This revision now requires changes to proceed.Jun 17 2024, 7:10 AM
alex requested review of this revision.Jun 17 2024, 10:54 AM
alex edited the test plan for this revision. (Show Details)

I've updated test plan (up to date SSL certificate & different SSL test domains).

erik accepted this revision.Jun 17 2024, 11:03 AM
This revision is now accepted and ready to land.Jun 17 2024, 11:03 AM
This revision was landed with ongoing or failed builds.Jun 17 2024, 11:30 AM
This revision was automatically updated to reflect the committed changes.