diff --git a/README.md b/README.md index 89c31e757..2e8c60ebb 100644 --- a/README.md +++ b/README.md @@ -140,6 +140,15 @@ $curl = new \Stripe\HttpClient\CurlClient([CURLOPT_SSLVERSION => CURL_SSLVERSION \Stripe\ApiRequestor::setHttpClient($curl); ``` +### Configuring CA Bundles + +By default, the library will use its own internal bundle of known CA +certificates, but it's possible to configure your own: + +```php +\Stripe\Stripe::setCABundlePath("path/to/ca/bundle"); +``` + ## Development Install dependencies: diff --git a/lib/HttpClient/CurlClient.php b/lib/HttpClient/CurlClient.php index 91b67cc35..c03b2c9ec 100644 --- a/lib/HttpClient/CurlClient.php +++ b/lib/HttpClient/CurlClient.php @@ -180,32 +180,14 @@ public function request($method, $absUrl, $headers, $params, $hasFile) $opts[CURLOPT_TIMEOUT] = $this->timeout; $opts[CURLOPT_HEADERFUNCTION] = $headerCallback; $opts[CURLOPT_HTTPHEADER] = $headers; - if (!Stripe::$verifySslCerts) { + $opts[CURLOPT_CAINFO] = Stripe::getCABundlePath(); + if (!Stripe::getVerifySslCerts()) { $opts[CURLOPT_SSL_VERIFYPEER] = false; } curl_setopt_array($curl, $opts); $rbody = curl_exec($curl); - if (!defined('CURLE_SSL_CACERT_BADFILE')) { - define('CURLE_SSL_CACERT_BADFILE', 77); // constant not defined in PHP - } - - $errno = curl_errno($curl); - if ($errno == CURLE_SSL_CACERT || - $errno == CURLE_SSL_PEER_CERTIFICATE || - $errno == CURLE_SSL_CACERT_BADFILE - ) { - array_push( - $headers, - 'X-Stripe-Client-Info: {"ca":"using Stripe-supplied CA bundle"}' - ); - $cert = self::caBundle(); - curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); - curl_setopt($curl, CURLOPT_CAINFO, $cert); - $rbody = curl_exec($curl); - } - if ($rbody === false) { $errno = curl_errno($curl); $message = curl_error($curl); @@ -250,9 +232,4 @@ private function handleCurlError($url, $errno, $message) $msg .= "\n\n(Network error [errno $errno]: $message)"; throw new Error\ApiConnection($msg); } - - private static function caBundle() - { - return dirname(__FILE__) . '/../../data/ca-certificates.crt'; - } } diff --git a/lib/Stripe.php b/lib/Stripe.php index e80dfcdf4..885b678b3 100644 --- a/lib/Stripe.php +++ b/lib/Stripe.php @@ -30,6 +30,9 @@ class Stripe // @var string|null The account ID for connected accounts requests. public static $accountId = null; + // @var string Path to the CA bundle used to verify SSL certificates + public static $caBundlePath = null; + // @var boolean Defaults to true. public static $verifySslCerts = true; @@ -116,6 +119,30 @@ public static function setApiVersion($apiVersion) self::$apiVersion = $apiVersion; } + /** + * @return string + */ + private static function getDefaultCABundlePath() + { + return realpath(dirname(__FILE__) . '/../data/ca-certificates.crt'); + } + + /** + * @return string + */ + public static function getCABundlePath() + { + return self::$caBundlePath ?: self::getDefaultCABundlePath(); + } + + /** + * @param string $caBundlePath + */ + public static function setCABundlePath($caBundlePath) + { + self::$caBundlePath = $caBundlePath; + } + /** * @return boolean */ diff --git a/tests/Stripe/StripeTest.php b/tests/Stripe/StripeTest.php new file mode 100644 index 000000000..f594518d1 --- /dev/null +++ b/tests/Stripe/StripeTest.php @@ -0,0 +1,30 @@ +orig = [ + 'caBundlePath' => Stripe::$caBundlePath, + ]; + } + + /** + * @after + */ + public function restoreOriginalValues() + { + Stripe::$caBundlePath = $this->orig['caBundlePath']; + } + + public function testCABundlePathAccessors() + { + Stripe::setCABundlePath('path/to/ca/bundle'); + $this->assertEquals('path/to/ca/bundle', Stripe::getCABundlePath()); + } +}