Can't enable hostname validation when using curl stream wrappers
| Bug #63352 | Can't enable hostname validation when using curl stream wrappers | ||||
|---|---|---|---|---|---|
| Submitted: | 2012-10-25 00:54 UTC | Modified: | - | ||
| From: | geissert@php.net | Assigned: | |||
| Status: | Closed | Package: | cURL related | ||
| PHP Version: | 5.4.8 | OS: | |||
| Private report: | No | CVE-ID: | None | ||
[2012-10-25 00:54 UTC] geissert@php.net
Description: ------------ When PHP is built with --with-curlwrappers, the context option "curl_verify_ssl_host" sets curl's CURLOPT_SSL_VERIFYHOST option to 1, but there is no way to set it to 2. Given that the option is a boolean, it should probably be setting the VERIFYHOST value to 2. There is no way to validate that the certificate belongs to the host otherwise. This applies to the ftps and https stream wrappers.
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2012-10-25 00:58 UTC] geissert@php.net