The behavior of drupal_http_request() changes, because PHP 7 has changed the defaults regarding the ssl options.
This makes code fail that relies on issuing a http request to a https version of a site, which uses a self-signed certificate.
As this could also be seen as a core limitation / bug instead of a feature, it might be a good idea to make the PHP 7 behavior the default, but allow to turn it off via a variable, especially for local development.
This is the code I use locally to make PHP 7 and a self-signed certificate work:
diff --git a/includes/common.inc b/includes/common.inc
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -820,7 +820,7 @@ function drupal_http_request($url, array $options = array()) {
'data' => NULL,
'max_redirects' => 3,
'timeout' => 30.0,
- 'context' => NULL,
+ 'context' => stream_context_create(array('ssl' => ['verify_peer' => FALSE, 'verify_peer_name' => FALSE])),
);
// Merge the default headers.
Comment | File | Size | Author |
---|---|---|---|
#13 | drupal_http_request-2761345-13.patch | 1.66 KB | twistor |
#11 | drupal_http_request-2761345-11.patch | 1.66 KB | twistor |
#9 | drupal_http_request-2761345-9.patch | 1.72 KB | twistor |
Comments
Comment #2
Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commentedComment #3
MegaChriz CreditAttribution: MegaChriz at WebCoo commentedI think the short array syntax shouldn't be used here as Drupal 7 also supports versions of PHP older than 5.4.
I haven't much experience with using
drupal_http_request()
on https sites yet, so I have no comment on that.Comment #4
Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commentedUhm, yes indeed.
Comment #5
DamienMcKennaI believe the changes first arose in PHP 5.6: http://php.net/manual/en/migration56.openssl.php
I believe this may be the same issue I described in Backup Migrate: #2498191: Unable to backup to NodeSquirrel using PHP 5.6.9 (on Windows)
Comment #6
hgoto CreditAttribution: hgoto as a volunteer commentedI investigated this.
As DamienMcKenna told, the default value of
verify_peer
seems to be changed in PHP 5.6.http://php.net/manual/en/context.ssl.php#refsect1-context.ssl-changelog
The following description is from the php.net.
verify_peer
: Require verification of SSL certificate used.verify_peer_name
: Require verification of peer name.allow_self_signed
: Allow self-signed certificates. Requires verify_peer.The default values of these options are as following.
PHP 5.5:
verify_peer
: FALSEverify_peer_name
: doesn't exist.allow_self_signed
: FALSEPHP 5.6 / PHP 7.0:
verify_peer
: TRUEverify_peer_name
: TRUEallow_self_signed
: FALSE (this is same as PHP 5.5)So, I think the options Fabianx showed in the sample are all we should consider here.
For people who review and think this, the following resources are useful, I believe.
The document of Guzzle might be useful.
Comment #7
Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commentedHmm, but how would we check that someone did not intentionally set these options.
Maybe we need to make this configurable ... :/
drupal_http_request_ssl_verify_peer => NULL (default behavior), TRUE, FALSE
Tricky ...
Comment #8
Fabianx CreditAttribution: Fabianx as a volunteer and at Tag1 Consulting commentedComment #9
twistor CreditAttribution: twistor as a volunteer commentedHere's a quick stab at this. Curious to see if setting options that don't exist for a PHP version will cause problems.
Comment #11
twistor CreditAttribution: twistor as a volunteer commentedSlightly simpler patch. Not sure what that failure is about.
Comment #13
twistor CreditAttribution: twistor as a volunteer commentedoops.
Comment #14
DamienMcKennaComment #15
DamienMcKennaClosing this in favor of #1081192: Verify peer on HTTPS if cURL available (but be careful of built-in cert bundles in the codebase), which has already been committed to Drupal 8.
Comment #16
Elijah LynnComment #17
vijayan08 CreditAttribution: vijayan08 commentedHi All,
I have updated the below patch, its working for me, but ssl_verify_peer FALSE is not recommendable
$verify_peer = variable_get('drupal_http_request_ssl_verify_peer', FALSE);
drupal_http_request-2761345-13.patch 1.66 KB
7.x: PHP 5.3 & MySQL 5.5 2,025 pass
Regards,
Vijayan Natarajan