Topic: cafile for ssl must be set manually when not root

Hey there,

we are currently using php5.5 and planing to upgrade to php5.6.
After reading about the upgrading instruction for php5.6, we wanted to make sure that our ssl connections will still work.

However, when I try to execute the following code as non-root user

$host = 'ssl://www.google.de:443';
$context = stream_context_create();
$result = stream_context_set_option($context, 'ssl', 'verify_peer', true);
$fp = stream_socket_client($host, $err, $errstr, 60, STREAM_CLIENT_CONNECT, $context);

I get the following error

PHP Warning:  stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in php shell code on line 1
PHP Warning:  stream_socket_client(): Failed to enable crypto in php shell code on line 1
PHP Warning:  stream_socket_client(): unable to connect to $URL$ (Unknown error) in php shell code on line 1

But when I execute the same code as root, the error is gone.

To fix this error for non-root users, I had to set the cafile via the "stream_context_set_option" manually

$context = stream_context_create();
$result = stream_context_set_option($context, 'ssl', 'verify_peer', true);
$result = stream_context_set_option($context, 'ssl', 'cafile', '/etc/pki/tls/cert.pem');
$fp = stream_socket_client($host, $err, $errstr, 60, STREAM_CLIENT_CONNECT, $context);

Is it intended, that someone must set the cafile (respectively capath) manually when not logged in as root?

The whole code above was tested using php5.5.20 with openssl1.0.1e-30.el6_6.5 on CentOS release 6.5 (Final)

Re: cafile for ssl must be set manually when not root

With php 5.4 / 5.5 you have to set the capath (user or root)

With php 5.6 you have new openssl.capath option (php.ini) but default value is correct, so you don't have to set it anymore.

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi