Topic: cafile for ssl must be set manually when not root
Hey there,
we are currently using php5.5 and planing to upgrade to php5.6.
After reading about the upgrading instruction for php5.6, we wanted to make sure that our ssl connections will still work.
However, when I try to execute the following code as non-root user
$host = 'ssl://www.google.de:443';
$context = stream_context_create();
$result = stream_context_set_option($context, 'ssl', 'verify_peer', true);
$fp = stream_socket_client($host, $err, $errstr, 60, STREAM_CLIENT_CONNECT, $context);
I get the following error
PHP Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in php shell code on line 1
PHP Warning: stream_socket_client(): Failed to enable crypto in php shell code on line 1
PHP Warning: stream_socket_client(): unable to connect to $URL$ (Unknown error) in php shell code on line 1
But when I execute the same code as root, the error is gone.
To fix this error for non-root users, I had to set the cafile via the "stream_context_set_option" manually
$context = stream_context_create();
$result = stream_context_set_option($context, 'ssl', 'verify_peer', true);
$result = stream_context_set_option($context, 'ssl', 'cafile', '/etc/pki/tls/cert.pem');
$fp = stream_socket_client($host, $err, $errstr, 60, STREAM_CLIENT_CONNECT, $context);
Is it intended, that someone must set the cafile (respectively capath) manually when not logged in as root?
The whole code above was tested using php5.5.20 with openssl1.0.1e-30.el6_6.5 on CentOS release 6.5 (Final)