From 58c06ab190e8df1f1841153a1ff107d62d97318c Mon Sep 17 00:00:00 2001 From: Dave Longley Date: Thu, 24 Apr 2014 15:15:31 -0400 Subject: [PATCH] Fix SSL options for default doc loaders. --- jsonld.php | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/jsonld.php b/jsonld.php index dafef6c..83dc0f2 100644 --- a/jsonld.php +++ b/jsonld.php @@ -313,7 +313,12 @@ function jsonld_default_document_loader($url) { 'method' => 'GET', 'header' => "Accept: application/ld+json\r\n"), - 'ssl' => array('verify_peer' => true)); + /* Note: Use jsonld_default_secure_document_loader for security. */ + 'ssl' => array( + 'verify_peer' => false, + 'allow_self_signed' => true) + ); + $context = stream_context_create($opts); $content_type = null; stream_context_set_params($context, array('notification' => @@ -328,7 +333,7 @@ function jsonld_default_document_loader($url) { break; }; })); - $result = @file_get_contents($url, false, $context); + $result = file_get_contents($url, false, $context); if($result === false) { throw new JsonLdException( 'Could not retrieve a JSON-LD document from the URL: ' . $url, @@ -388,13 +393,23 @@ function jsonld_default_secure_document_loader($url) { 'contextUrl' => null, 'document' => null, 'documentUrl' => $url); $redirects = array(); + // get expected cert common name for TLS + $parsed = parse_url($url); + $host = isset($parsed['host']) ? $parsed['host'] : ''; + $port = isset($parsed['port']) ? ':' . $parsed['port'] : ''; + $cn = $host . $port; + // default JSON-LD https GET implementation $opts = array( 'http' => array( 'method' => 'GET', 'header' => "Accept: application/ld+json\r\n"), - 'ssl' => array('verify_peer' => true)); + 'ssl' => array( + 'verify_peer' => true, + 'allow_self_signed' => false, + 'CN_match' => $cn, + 'cafile' => '/etc/ssl/certs/ca-certificates.crt')); $context = stream_context_create($opts); $content_type = null; stream_context_set_params($context, array('notification' =>