Zend Framework Community › ZF Contributor

Re: Changes to Zend\Http\Client\Adapter\Socket

Classic

List

Threaded

11 messages Options

Jurian Sluiman-3

Re: Changes to Zend\Http\Client\Adapter\Socket

2012/8/14 Gary Hockin <[hidden email]>

Hi guys,

The changes to the default settings of Zend\Http\Client\Adapter\Socket in this revision
https://github.com/zendframework/zf2/commit/6a80a0d9e1dd1241a81d901d280888ec2badf8b1

Have caused all of my requests to the Facebook Graph Api over SSL to fail with the error
Unable to Connect to ssl://graph.facebook.com:443. Error #0: 
I'm not saying this is a bad thing, I just have no idea how to fix this, aside from re-enabling sslverifypeer in the adapter options. I am guessing this is exposing a security hole in my server setup. Do I need to sort my server out here, or is this a bug in the client code? I can't find any tests that are actually asserting that http requests over ssl work with this setting enable (after a very cursory look granted).
I guess what I am after is how to configure my server so this actually works with sslverifypeer set to false?

G

Hi Gary,

I have had exactly the same problem. I disabled the sslverifypeer setting in the adapter. An example to solve this is this commit: https://github.com/juriansluiman/SlmIdealPayment/commit/fe6d346042f8131ff1ddc039382ad168a42996b2#diff-0

I am not sure it is a "safe" option since "disabling" a "verificiation" with "ssl" sounds not safe to me. But at least I got the http client working again for making SSL connections.

--
Jurian Sluiman

Shahar Evron-2

Re: Changes to Zend\Http\Client\Adapter\Socket

On Tue, Aug 14, 2012 at 10:49 AM, Gary Hockin <[hidden email]> wrote:

Hi guys,

The changes to the default settings of Zend\Http\Client\Adapter\Socket in this revision
https://github.com/zendframework/zf2/commit/6a80a0d9e1dd1241a81d901d280888ec2badf8b1

Have caused all of my requests to the Facebook Graph Api over SSL to fail with the error
Unable to Connect to ssl://graph.facebook.com:443. Error #0: 
I'm not saying this is a bad thing, I just have no idea how to fix this, aside from re-enabling sslverifypeer in the adapter options. I am guessing this is exposing a security hole in my server setup. Do I need to sort my server out here, or is this a bug in the client code? I can't find any tests that are actually asserting that http requests over ssl work with this setting enable (after a very cursory look granted).

Basically you have two ways to proceed: a good one and a bad one.

The good one is fixing your PHP / OpenSSL setup. The problem you are having is due to the fact that your PHP's SSL library (openssl) can't find the SSL certificate chain to verify Facebook's server certificates. With a proper setup, this should "just works" but I have seen many cases where this is a problem. You may need to install common root certificates on your server, and if they are installed you may just need to configure the server's SSL certicaite path / directory proerly, either at the OpenSSL library level or at runtime (there are Transport\Socket options for that too). If you can't figure out how to do that, let me know - I might be able to assist here by giving some examples.

The bad option is to disable peer verification as you suggested. This is bad, because it exposes you to man-in-the-middle and possibly other attacks when talking to Facebook's servers. I strongly recommend against this, especially not in production (it may be acceptable in your dev environment but even this might be a bad idea - for example if using a real Facebook account and sending authentication data).

Shahar.

I guess what I am after is how to configure my server so this actually works with sslverifypeer set to false?

G

Shahar Evron-2

Re: Changes to Zend\Http\Client\Adapter\Socket

BTW on my Ubuntu servers it starts working properly when I set the Transport option 'sslCaPath' to '/etc/ssl/certs'. This directory is managed by one of the Ubuntu packages, I believe it's called 'ca-certificates'.

Shahar.

On Tue, Aug 14, 2012 at 11:17 AM, Shahar Evron <[hidden email]> wrote:

On Tue, Aug 14, 2012 at 10:49 AM, Gary Hockin <[hidden email]> wrote:
Hi guys,

The changes to the default settings of Zend\Http\Client\Adapter\Socket in this revision
https://github.com/zendframework/zf2/commit/6a80a0d9e1dd1241a81d901d280888ec2badf8b1

Have caused all of my requests to the Facebook Graph Api over SSL to fail with the error
Unable to Connect to ssl://graph.facebook.com:443. Error #0: 
I'm not saying this is a bad thing, I just have no idea how to fix this, aside from re-enabling sslverifypeer in the adapter options. I am guessing this is exposing a security hole in my server setup. Do I need to sort my server out here, or is this a bug in the client code? I can't find any tests that are actually asserting that http requests over ssl work with this setting enable (after a very cursory look granted).
Basically you have two ways to proceed: a good one and a bad one.

The good one is fixing your PHP / OpenSSL setup. The problem you are having is due to the fact that your PHP's SSL library (openssl) can't find the SSL certificate chain to verify Facebook's server certificates. With a proper setup, this should "just works" but I have seen many cases where this is a problem. You may need to install common root certificates on your server, and if they are installed you may just need to configure the server's SSL certicaite path / directory proerly, either at the OpenSSL library level or at runtime (there are Transport\Socket options for that too). If you can't figure out how to do that, let me know - I might be able to assist here by giving some examples.

The bad option is to disable peer verification as you suggested. This is bad, because it exposes you to man-in-the-middle and possibly other attacks when talking to Facebook's servers. I strongly recommend against this, especially not in production (it may be acceptable in your dev environment but even this might be a bad idea - for example if using a real Facebook account and sending authentication data).

Shahar.

I guess what I am after is how to configure my server so this actually works with sslverifypeer set to false?

G

Shahar Evron-2

Re: Changes to Zend\Http\Client\Adapter\Socket

Oops sorry please ignore - I keep thinking about the "new" HTTP client implementation - the one I moved to a module and sent a message about yesterday.

For the current ZF 2.0 HTTP client, as far as I can remember you will need to set the SSL CA path at runtime by accessing the adapter's stream context and using PHP's stream_context_set_option to set the capath SSL context option to point to a directory containing the certificates.

There might be a way to do it from some OpenSSL config file or even from php.ini but I didn't find how to do it and I guess it really depends on your PHP build (which OpenSSL is linked to it and where it's configuration is at).

Shahar.

On Tue, Aug 14, 2012 at 11:23 AM, Shahar Evron <[hidden email]> wrote:

BTW on my Ubuntu servers it starts working properly when I set the Transport option 'sslCaPath' to '/etc/ssl/certs'. This directory is managed by one of the Ubuntu packages, I believe it's called 'ca-certificates'.

Shahar.
On Tue, Aug 14, 2012 at 11:17 AM, Shahar Evron <[hidden email]> wrote:
On Tue, Aug 14, 2012 at 10:49 AM, Gary Hockin <[hidden email]> wrote:
Hi guys,

The changes to the default settings of Zend\Http\Client\Adapter\Socket in this revision
https://github.com/zendframework/zf2/commit/6a80a0d9e1dd1241a81d901d280888ec2badf8b1

Have caused all of my requests to the Facebook Graph Api over SSL to fail with the error
Unable to Connect to ssl://graph.facebook.com:443. Error #0: 
I'm not saying this is a bad thing, I just have no idea how to fix this, aside from re-enabling sslverifypeer in the adapter options. I am guessing this is exposing a security hole in my server setup. Do I need to sort my server out here, or is this a bug in the client code? I can't find any tests that are actually asserting that http requests over ssl work with this setting enable (after a very cursory look granted).
Basically you have two ways to proceed: a good one and a bad one.

The good one is fixing your PHP / OpenSSL setup. The problem you are having is due to the fact that your PHP's SSL library (openssl) can't find the SSL certificate chain to verify Facebook's server certificates. With a proper setup, this should "just works" but I have seen many cases where this is a problem. You may need to install common root certificates on your server, and if they are installed you may just need to configure the server's SSL certicaite path / directory proerly, either at the OpenSSL library level or at runtime (there are Transport\Socket options for that too). If you can't figure out how to do that, let me know - I might be able to assist here by giving some examples.

The bad option is to disable peer verification as you suggested. This is bad, because it exposes you to man-in-the-middle and possibly other attacks when talking to Facebook's servers. I strongly recommend against this, especially not in production (it may be acceptable in your dev environment but even this might be a bad idea - for example if using a real Facebook account and sending authentication data).

Shahar.

I guess what I am after is how to configure my server so this actually works with sslverifypeer set to false?

G

Sascha Howe

Re: Changes to Zend\Http\Client\Adapter\Socket

In reply to this post by Shahar Evron-2

BTW on my Ubuntu servers it starts working properly when I set the Transport option 'sslCaPath' to '/etc/ssl/certs'. This directory is managed by one of the Ubuntu packages, I believe it's called 'ca-certificates'.

Hey,

are you able to provide an example on how you did this, please? I can't figure out the right place ^^.

Any held very welcome.

Greetings,

Sascha

Shahar Evron-2

Re: Changes to Zend\Http\Client\Adapter\Socket

See my next message, this reference was a mistake on my part.

Shahar.

On Tue, Aug 14, 2012 at 1:23 PM, Sascha Howe <[hidden email]> wrote:

BTW on my Ubuntu servers it starts working properly when I set the Transport option 'sslCaPath' to '/etc/ssl/certs'. This directory is managed by one of the Ubuntu packages, I believe it's called 'ca-certificates'.

Hey,

are you able to provide an example on how you did this, please? I can't figure out the right place ^^.

Any held very welcome.

Greetings,
Sascha

Sascha Howe

Re: Changes to Zend\Http\Client\Adapter\Socket

See my next message, this reference was a mistake on my part.

Shahar.

On Tue, Aug 14, 2012 at 1:23 PM, Sascha Howe <[hidden email]> wrote:

BTW on my Ubuntu servers it starts working properly when I set the Transport option 'sslCaPath' to '/etc/ssl/certs'. This directory is managed by one of the Ubuntu packages, I believe it's called 'ca-certificates'.

Hey,

are you able to provide an example on how you did this, please? I can't figure out the right place ^^.

Any held very welcome.

Greetings,
Sascha

Gnarf,

thanks! How could I didn't see this. Thanks for help.

Greetings,

Sascha

Sascha Howe

Re: Changes to Zend\Http\Client\Adapter\Socket

See my next message, this reference was a mistake on my part.

Shahar.

On Tue, Aug 14, 2012 at 1:23 PM, Sascha Howe <[hidden email]> wrote:

BTW on my Ubuntu servers it starts working properly when I set the Transport option 'sslCaPath' to '/etc/ssl/certs'. This directory is managed by one of the Ubuntu packages, I believe it's called 'ca-certificates'.

Hey,

are you able to provide an example on how you did this, please? I can't figure out the right place ^^.

Any held very welcome.

Greetings,
Sascha

Gnarf,

thanks! How could I didn't see this. Thanks for help.

Greetings,
Sascha

Just in case someone else has trouble with this, below is how it worked for me with installed ca-certificates package from ubuntu:

Greetings,

	Sascha

$client = new Client();

$client->setAdapter('\Zend\Http\Client\Adapter\Socket');

$client->setMethod('GET');

$stream = $client->getAdapter()->getStreamContext();

if(!stream_context_set_option($stream, array('ssl'=>array('capath'=>'/etc/ssl/certs')))){

    echo "Error setting capath in Streamcontext"; die;

}

return $client;

Pádraic Brady

Re: Changes to Zend\Http\Client\Adapter\Socket

Hi all,

For any doubters, the reason the defaults changed is very simple. The
entire point of using HTTPS is to a) encrypt the connection and b)
verify that you are connecting to the intended host by verifying their
certificate and such. Not performing both steps means you can
unwittingly connect to a Man-In-The-Middle using a forged certificate
since, with peer verification disabled, the verification checks are
NEVER performed. This is inherently insecure, wrong and makes a HTTPS
connection no different to using HTTP (encryption is merely
established with the forging MITM instead so by itself, encryption is
USELESS.

You can achieve the same level of insecurity by setting cURL's options
to disable peer verification, i.e. cURL has this enabled by default
while PHP's SSL Context has it disabled by default. In fact, PHP's SSL
Context is used for ALL built in HTTPS connections including from
file_get_contents(), DOMDocument::load(), require_once(), etc. They
should all have peer verification and the CA certs configured for the
context whenever such functions are used for HTTPS.

I'll be working on trying to make this more consistently simpler to
configure during the week ahead, the current Zend\Http\Client was
anticipated to be replaced so we never got around to polishing its
rough edges, one of which is Context configuration.

As such, remember that when you experience errors with peer
verification enabled the main cause will likely be a missing or
misconfigured capath. The other cause for failures, outside of the
usual HTTP problems, will be down to invalid, out of date, self-signed
(there's a separate option to enable self-signed certs and it's FALSE
by default), and other such SSL errors that would make your browser
normally complain with a big red screen and dire predictions of your
impending doom ;). Those errors are there for a reason - forged sites
and MITM attacks need to be defended against. Disabling peer
verification deliberately is tantamount to deliberately not escaping
for XSS - it's a self inflicted security vulnerability.

Also, since PHP is therefore insecure by default, please feel free to
complain to someone on the internals team. They might wake up one day
to just how widespread this problem is.

Paddy

On Tue, Aug 14, 2012 at 11:51 AM, Sascha Howe <[hidden email]> wrote:

>
> See my next message, this reference was a mistake on my part.
>
> Shahar.
>
> On Tue, Aug 14, 2012 at 1:23 PM, Sascha Howe <[hidden email]>
> wrote:
>>
>> BTW on my Ubuntu servers it starts working properly when I set the
>> Transport option 'sslCaPath' to '/etc/ssl/certs'. This directory is managed
>> by one of the Ubuntu packages, I believe it's called 'ca-certificates'.
>>
>>
>> Hey,
>>
>> are you able to provide an example on how you did this, please? I can't
>> figure out the right place ^^.
>>
>> Any held very welcome.
>>
>> Greetings,
>> Sascha
>>
>>
>
>
>
> Gnarf,
>
> thanks! How could I didn't see this. Thanks for help.
>
> Greetings,
> Sascha
>
>
> Just in case someone else has trouble with this, below is how it worked for
> me with installed ca-certificates package from ubuntu:
>
> Greetings,
> Sascha
>
> $client = new Client();
> $client->setAdapter('\Zend\Http\Client\Adapter\Socket');
> $client->setMethod('GET');
> $stream = $client->getAdapter()->getStreamContext();
> if(!stream_context_set_option($stream,
> array('ssl'=>array('capath'=>'/etc/ssl/certs')))){
> echo "Error setting capath in Streamcontext"; die;
> }
>
> return $client;

--
Pádraic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team

weierophinney

Re: Changes to Zend\Http\Client\Adapter\Socket

Administrator

-- Pádraic Brady <[hidden email]> wrote
(on Tuesday, 14 August 2012, 11:16 PM +0100):

> As such, remember that when you experience errors with peer
> verification enabled the main cause will likely be a missing or
> misconfigured capath. The other cause for failures, outside of the
> usual HTTP problems, will be down to invalid, out of date, self-signed
> (there's a separate option to enable self-signed certs and it's FALSE
> by default), and other such SSL errors that would make your browser
> normally complain with a big red screen and dire predictions of your
> impending doom ;). Those errors are there for a reason - forged sites
> and MITM attacks need to be defended against. Disabling peer
> verification deliberately is tantamount to deliberately not escaping
> for XSS - it's a self inflicted security vulnerability.

This should be well-documented in the Zend\Http docs, and cover several
of the major linux distros in terms of where to find the CA paths...

> Also, since PHP is therefore insecure by default, please feel free to
> complain to someone on the internals team. They might wake up one day
> to just how widespread this problem is.
>
> Paddy
>
> On Tue, Aug 14, 2012 at 11:51 AM, Sascha Howe <[hidden email]> wrote:
> >
> > See my next message, this reference was a mistake on my part.
> >
> > Shahar.
> >
> > On Tue, Aug 14, 2012 at 1:23 PM, Sascha Howe <[hidden email]>
> > wrote:
> >>
> >> BTW on my Ubuntu servers it starts working properly when I set the
> >> Transport option 'sslCaPath' to '/etc/ssl/certs'. This directory is managed
> >> by one of the Ubuntu packages, I believe it's called 'ca-certificates'.
> >>
> >>
> >> Hey,
> >>
> >> are you able to provide an example on how you did this, please? I can't
> >> figure out the right place ^^.
> >>
> >> Any held very welcome.
> >>
> >> Greetings,
> >> Sascha
> >>
> >>
> >
> >
> >
> > Gnarf,
> >
> > thanks! How could I didn't see this. Thanks for help.
> >
> > Greetings,
> > Sascha
> >
> >
> > Just in case someone else has trouble with this, below is how it worked for
> > me with installed ca-certificates package from ubuntu:
> >
> > Greetings,
> > Sascha
> >
> > $client = new Client();
> > $client->setAdapter('\Zend\Http\Client\Adapter\Socket');
> > $client->setMethod('GET');
> > $stream = $client->getAdapter()->getStreamContext();
> > if(!stream_context_set_option($stream,
> > array('ssl'=>array('capath'=>'/etc/ssl/certs')))){
> > echo "Error setting capath in Streamcontext"; die;
> > }
> >
> > return $client;
>
>
>
> --
> Pádraic Brady
>
> http://blog.astrumfutura.com
> http://www.survivethedeepend.com
> Zend Framework Community Review Team
>

--
Matthew Weier O'Phinney
Project Lead | [hidden email]
Zend Framework | http://framework.zend.com/
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc

Jurian Sluiman-3

Re: Changes to Zend\Http\Client\Adapter\Socket

2012/8/16 Gary Hockin <[hidden email]>

Just to confirm, I'm not questioning the change at all, I support it 100%. I'm just trying to get some help on configuring my server so I can use https and Zend\Http\Client correctly.

Today I looked at the code how to set the capath context stream option directly in the adapter. To make this happen, I had to add some lines to the Socket adapter, for which I made a PR here: https://github.com/zendframework/zf2/pull/2197

With the change I can configure the http client to my needs without using the stream_context_* functions directly or be vulnerable for man in the middle attacks. It's pretty straightforward to set the capath ssl option now:


$client = new \Zend\Http\Client;

$client->setAdapter('Zend\Http\Client\Adapter\Socket');

$client->getAdapter()->setOptions(array(

    'sslcapath'=> '/path/to/certs'

));

In my Ubuntu setup, the path should be /etc/ssl/certs. As far as I know, this is also the option for most other distributions on Linux. Bear in mind you need to set the adapter first to get it, otherwise the accessor returns null.

--
Jurian Sluiman