Merge pull request #422 from stripe/ob-use-vendored-ca-bundle

Use vendored CA bundle for all requests

README.md

@@ -140,6 +140,15 @@ $curl = new \Stripe\HttpClient\CurlClient([CURLOPT_SSLVERSION => CURL_SSLVERSION
 \Stripe\ApiRequestor::setHttpClient($curl);
 ```
 
+### Configuring CA Bundles
+
+By default, the library will use its own internal bundle of known CA
+certificates, but it's possible to configure your own:
+
+```php
+\Stripe\Stripe::setCABundlePath("path/to/ca/bundle");
+```
+
 ## Development
 
 Install dependencies:

lib/HttpClient/CurlClient.php

@@ -180,32 +180,14 @@ public function request($method, $absUrl, $headers, $params, $hasFile)
         $opts[CURLOPT_TIMEOUT] = $this->timeout;
         $opts[CURLOPT_HEADERFUNCTION] = $headerCallback;
         $opts[CURLOPT_HTTPHEADER] = $headers;
-        if (!Stripe::$verifySslCerts) {
+        $opts[CURLOPT_CAINFO] = Stripe::getCABundlePath();
+        if (!Stripe::getVerifySslCerts()) {
             $opts[CURLOPT_SSL_VERIFYPEER] = false;
         }
 
         curl_setopt_array($curl, $opts);
         $rbody = curl_exec($curl);
 
-        if (!defined('CURLE_SSL_CACERT_BADFILE')) {
-            define('CURLE_SSL_CACERT_BADFILE', 77);  // constant not defined in PHP
-        }
-
-        $errno = curl_errno($curl);
-        if ($errno == CURLE_SSL_CACERT ||
-            $errno == CURLE_SSL_PEER_CERTIFICATE ||
-            $errno == CURLE_SSL_CACERT_BADFILE
-        ) {
-            array_push(
-                $headers,
-                'X-Stripe-Client-Info: {"ca":"using Stripe-supplied CA bundle"}'
-            );
-            $cert = self::caBundle();
-            curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
-            curl_setopt($curl, CURLOPT_CAINFO, $cert);
-            $rbody = curl_exec($curl);
-        }
-
         if ($rbody === false) {
             $errno = curl_errno($curl);
             $message = curl_error($curl);
@@ -250,9 +232,4 @@ private function handleCurlError($url, $errno, $message)
         $msg .= "\n\n(Network error [errno $errno]: $message)";
         throw new Error\ApiConnection($msg);
     }
-
-    private static function caBundle()
-    {
-        return dirname(__FILE__) . '/../../data/ca-certificates.crt';
-    }
 }

lib/Stripe.php

@@ -30,6 +30,9 @@ class Stripe
     // @var string|null The account ID for connected accounts requests.
     public static $accountId = null;
 
+    // @var string Path to the CA bundle used to verify SSL certificates
+    public static $caBundlePath = null;
+
     // @var boolean Defaults to true.
     public static $verifySslCerts = true;
 
@@ -116,6 +119,30 @@ public static function setApiVersion($apiVersion)
         self::$apiVersion = $apiVersion;
     }
 
+    /**
+     * @return string
+     */
+    private static function getDefaultCABundlePath()
+    {
+        return realpath(dirname(__FILE__) . '/../data/ca-certificates.crt');
+    }
+
+    /**
+     * @return string
+     */
+    public static function getCABundlePath()
+    {
+        return self::$caBundlePath ?: self::getDefaultCABundlePath();
+    }
+
+    /**
+     * @param string $caBundlePath
+     */
+    public static function setCABundlePath($caBundlePath)
+    {
+        self::$caBundlePath = $caBundlePath;
+    }
+
     /**
      * @return boolean
      */

tests/Stripe/StripeTest.php

@@ -0,0 +1,30 @@
+<?php
+
+namespace Stripe;
+
+class StripeTest extends TestCase
+{
+    /**
+     * @before
+     */
+    public function saveOriginalValues()
+    {
+        $this->orig = [
+            'caBundlePath' => Stripe::$caBundlePath,
+        ];
+    }
+
+    /**
+     * @after
+     */
+    public function restoreOriginalValues()
+    {
+        Stripe::$caBundlePath = $this->orig['caBundlePath'];
+    }
+
+    public function testCABundlePathAccessors()
+    {
+        Stripe::setCABundlePath('path/to/ca/bundle');
+        $this->assertEquals('path/to/ca/bundle', Stripe::getCABundlePath());
+    }
+}