ZF-4838: HTTPS in Zend_Http_Client is to be considered insecure

Issue Type: Bug Created: 2008-11-06T12:13:34.000+0000 Last Updated: 2011-12-02T01:18:46.000+0000 Status: Postponed Fix version(s): - Next Major Release ()

Reporter: Thomas Gelf (tgelf) Assignee: Shahar Evron (shahar) Tags: - Zend_Http_Client

  • zf-crteam-padraic
  • zf-crteam-priority

Related issues: - ZF-2946



Zend_Http_Client (to more specific: it's only available adapter Zend_Http_Client_Adapter_Socket) does neither verify server certificates nor does it verify hostnames. Zend_Http_Client_Adapter_Curl behaves correct, but is not in trunk.

Best regards, Thomas Gelf


Posted by Thomas Gelf (tgelf) on 2008-11-06T13:03:13.000+0000

ML post and IRC discussion regarding this issue:…

Posted by Benjamin Eberlei (beberlei) on 2009-03-20T03:46:56.000+0000

Fixed with ZF-3616, inclusion of cURL Adapter into trunk, released in 1.8

Posted by Thomas Gelf (tgelf) on 2009-03-20T04:06:15.000+0000

This is great news! I've been using your adapter for a while, the fact that it will be provided with ZF will however make things easier ;-)

Anyways, this doesn't solve the issue for me: Zend_Http_Client is still to be considered insecure with HTTPS and still prone to MITM attacks. This is also true for all Service-Components based on Zend_Http_Clients. The fact that there finally IS a secure connection adapter does neither fix the default one (Socket), nor does it tell coders to NOT use the default one for HTTPS unless fixed nor does it fix other components based on Zend_Http_Client.

Posted by Shahar Evron (shahar) on 2009-07-23T14:34:54.000+0000

Depends on being able to set context parameters on the stream. Work in progress on that.

Posted by Shahar Evron (shahar) on 2009-07-23T14:45:53.000+0000

Now that the setStreamContext() and getStreamContext() methods have been added (in trunk, CS-17009), you should be able to force peer validation easily.

We can't set this behavior to be the default one, because of BC issues. I also suspect most people will not want this because it makes development and testing harder.

Thanks for reporting!

Posted by Thomas Gelf (tgelf) on 2009-07-24T02:27:04.000+0000

That's great news, thank you!

Let me add some thoughts regarding default settings. First, this is what I posted last autumn to ZF's mailinglist:

Unfortunately switching validation on per default is not an option as it would break currently working applications. I would suggest to change this with ZF 2.0 - as other libs / languages I know (CURL, Java, C# etc) are doing so out of the box. And in my believes this is the only correct way of using HTTPS. If someone wants to do insecure things he is free to do so, but he has to explicitly switch checks off.

(see… for full post)

I don't know which Zend_Service_Whatever-Classes are based on HTTPS (a quick grep showed Amazon_Ec2, Delicious, ReCaptcha), probably all of them are using Zend_Http_Client - with insecure defaults. And I'm pretty sure others will follow.

Therefore I strongly suggest changing default settings with ZF 2.0. Many developers just don't realize that self-signed certificates lead HTTPS ad absurdum - and also not verifying signed ones does. If someone insists on using useless certificates he can do so. But he needs to be made aware of doing something REALLY bad (and shall be forced into explicitely allowing this in his own code).

What is the best way to add a note assuring this doesn't will be forgotten? Open a seperate ticket against "Next Major Release"?

Best regards, Thomas Gelf

Posted by Ralph Schindler (ralph) on 2010-01-06T20:15:15.000+0000

Postponing issue until 2.0 when we can change the defaults in the socket adapter to be more like that of the curl adapter: validating all certificates by default.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.