Ubuntu
php7.0 package

Curl extension doenst use CURLOPT_SSL_VERIFYPEER as expected

Bug #1594793 reported by Vinícius de Sá Souza
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php7.0 (Ubuntu)
Incomplete
Undecided
Nish Aravamudan

Bug Description

Ubuntu 16.04 LTS
php7.0-curl version: 7.0.4-7ubuntu2.1
Curl version: curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

-------------------------

The expected is: When a set the CURLOPT_SSL_VERIFYPEER option, i want ignore all certificate errors which occur.

What happened instead: Unknown SSL protocol error in connection to www.receita.fazenda.gov.br:443

------------------
When i call "curl https://www.receita.fazenda.gov.br/Aplicacoes/SSL/ATCTA/CPF/captcha/gerarCaptcha.asp --insecure" this works fine for me.

Or when i use the same php script in another php 7 compilation.

Tags: curl insecure
Revision history for this message
Vinícius de Sá Souza (viniciusss) wrote :
Revision history for this message
Nish Aravamudan (nacc) wrote :

Hello and thank you for filing this bug!

Can you clarify if this is a known issue in the PHP version in 16.04 currently? Can you test with Yakkety (which has 7.0.7 and will get 7.0.8 soon)?

If it is/was a known issue, do you know what commit fixed it (for the purposes of backporting).

Finally, you mention "another php 7 compilation". Can you explain which one? Was it the same version of PHP as in 16.04?

Changed in php7.0 (Ubuntu):
assignee: nobody → Nish Aravamudan (nacc)
status: New → Triaged
Revision history for this message
Nish Aravamudan (nacc) wrote :

As part of bug 1569609, I have created a microrelease-update test version at: https://launchpad.net/~nacc/+archive/ubuntu/lp1569609, which includes the fix for several other bugs. If anyone affected could also test that version (7.0.8-0ubuntu1~ppa1), that would be very helpful!

Revision history for this message
Robie Basak (racb) wrote :

> The expected is: When a set the CURLOPT_SSL_VERIFYPEER option, i want ignore all certificate errors which occur.

Isn't this the inverse of correct behaviour? Shouldn't you have to *un*set it to get peer verification turned off as you want to ignore the problem with the channel being insecure?

Revision history for this message
Nish Aravamudan (nacc) wrote : Re: [Bug 1594793] Re: Curl extension doenst use CURLOPT_SSL_VERIFYPEER as expected

On 29.06.2016 [12:00:22 -0000], Robie Basak wrote:
> > The expected is: When a set the CURLOPT_SSL_VERIFYPEER option, i want
> > ignore all certificate errors which occur.
>
> Isn't this the inverse of correct behaviour? Shouldn't you have to
> *un*set it to get peer verification turned off as you want to ignore the
> problem with the channel being insecure?

Possibly translation issue, but the test script is setting this variable
to False specifically.

-Nish

Nish Aravamudan (nacc)
Changed in php7.0 (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Nish Aravamudan (nacc) wrote :

I'm not a SSL expert, but I checked with -v to curl for that URL, and it is accepted TLS1.0 connections only.

So I told your script to do the same:

curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0);

And your script then worked. I'm assuming this means that without this option, your script is attemping to connect with SSLv2 or SSLv3 by default.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.