|
|
|
|
@ -353,3 +353,27 @@ return [
|
|
|
|
|
|
|
|
|
|
> Note: you should always prefer web server configuration for 'host header attack' protection instead of the filter usage. |
|
|
|
|
[[yii\filters\HostControl]] should be used only if server configuration setup is unavailable. |
|
|
|
|
|
|
|
|
|
### Configuring SSL peer validation |
|
|
|
|
|
|
|
|
|
There is a typical misconception about how to solve SSL certificate validation issues such as: |
|
|
|
|
|
|
|
|
|
``` |
|
|
|
|
cURL error 60: SSL certificate problem: unable to get local issuer certificate |
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
or |
|
|
|
|
|
|
|
|
|
``` |
|
|
|
|
stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed |
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
Many sources wrongly suggest disabling SSL peer verification. That should not be ever done since it enabled |
|
|
|
|
man-in-the middle type of attacks. Instead, PHP should be configured properly: |
|
|
|
|
|
|
|
|
|
1. Download [https://curl.haxx.se/ca/cacert.pem](https://curl.haxx.se/ca/cacert.pem). |
|
|
|
|
2. Add the following to your php.ini: |
|
|
|
|
``` |
|
|
|
|
openssl.cafile="/path/to/cacert.pem" |
|
|
|
|
curl.cainfo="/path/to/cacert.pem". |
|
|
|
|
``` |
|
|
|
|
|
Alexander Makarov
4 years ago