Merge branch 'icywolfy-sslcafile'

HolgerW1 · Mar 5, 2014 · ce4f88c · ce4f88c
2 parents 43f2f86 + dce2627
commit ce4f88c
Show file tree

Hide file tree

Showing 3 changed files with 10,241 additions and 1 deletion.
diff --git a/library/Zend/Http/Client/Adapter/Socket.php b/library/Zend/Http/Client/Adapter/Socket.php
@@ -66,6 +66,7 @@ class Socket implements HttpAdapter, StreamInterface
         'sslcert'               => null,
         'sslpassphrase'         => null,
         'sslverifypeer'         => true,
+        'sslcafile'             => null,
         'sslcapath'             => null,
         'sslallowselfsigned'    => false,
         'sslusecontext'         => false
@@ -205,6 +206,12 @@ public function connect($host, $port = 80, $secure = false)
                     }
                 }
 
+                if ($this->config['sslcafile']) {
+                    if (!stream_context_set_option($context, 'ssl', 'cafile', $this->config['sslcafile'])) {
+                        throw new AdapterException\RuntimeException('Unable to set sslcafile option');
+                    }
+                }
+
                 if ($this->config['sslcapath']) {
                     if (!stream_context_set_option($context, 'ssl', 'capath', $this->config['sslcapath'])) {
                         throw new AdapterException\RuntimeException('Unable to set sslcapath option');
@@ -287,7 +294,11 @@ public function connect($host, $port = 80, $secure = false)
 
                     if ((! $errorString) && $this->config['sslverifypeer']) {
                         // There's good chance our error is due to sslcapath not being properly set
-                        if (! ($this->config['sslcapath'] && is_dir($this->config['sslcapath']))) {
+                        if (! ($this->config['sslcafile'] || $this->config['sslcapath'])) {
+                            $errorString = 'make sure the "sslcafile" or "sslcapath" option are properly set for the environment.';
+                        } elseif ($this->config['sslcafile'] && !is_file($this->config['sslcafile'])) {
+                            $errorString = 'make sure the "sslcafile" option points to a valid SSL certificate file';
+                        } elseif ($this->config['sslcapath'] && !is_dir($this->config['sslcapath'])) {
                             $errorString = 'make sure the "sslcapath" option points to a valid SSL certificate directory';
                         }
                     }

diff --git a/tests/ZendTest/Http/Client/SocketTest.php b/tests/ZendTest/Http/Client/SocketTest.php
@@ -85,6 +85,30 @@ public function testConnectingViaSslEnforcesDefaultSslOptionsOnContext()
         $this->assertFalse($options['ssl']['allow_self_signed']);
     }
 
+
+    /**
+     * Test Certificate File Option
+     * The configuration is set to a legitimate certificate bundle file,
+     * to exclude errors from being thrown from an invalid cafile context being set.
+     */
+    public function testConnectingViaSslUsesCertificateFileContext()
+    {
+        $config = array(
+          'timeout' => 30,
+          'sslcafile' => __DIR__ . '/_files/ca-bundle.crt',
+        );
+        $this->_adapter->setOptions($config);
+        try {
+            $this->_adapter->connect('localhost', 443, true);
+        } catch (\Zend\Http\Client\Adapter\Exception\RuntimeException $e) {
+            // Test is designed to allow connect failure because we're interested
+            // only in the stream context state created within that method.
+        }
+        $context = $this->_adapter->getStreamContext();
+        $options = stream_context_get_options($context);
+        $this->assertEquals($config['sslcafile'], $options['ssl']['cafile']);
+    }
+
     /**
      * Test that a Zend\Config object can be used to set configuration
      *