Merge branch 'hotfix-osx-ssl-bug'

GoyaPtyLtd · Aug 31, 2016 · 7b279f9 · 7b279f9
2 parents 14a7d05 + 5581d91
commit 7b279f9
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 14 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,5 +1,9 @@
+### 4.0.7 (Released 2016-08-31) ###
+- Update diagnostic report page to handle OS X Secure Transport incompatibility
+  bug exposed by FileMaker Sever 15 setting curl.cainfo in php.ini by default.
+
 ### 4.0.6 (Released 2016-07-28) ###
-- Update Mac OS X installer FMS version detection routine to resolve rejection 
+- Update Mac OS X installer FMS version detection routine to resolve rejection
   of FMS 13 where patch level is greater than minimum required.
 
 ### 4.0.5 (Released 2016-07-27) ###

diff --git a/RESTfm.ini.php.dist b/RESTfm.ini.php.dist
@@ -41,13 +41,16 @@ $config['settings'] = array (
     'SSLOnly' => FALSE,
 
     // Enforce strict SSL certificate checking when RESTfm is connecting to
-    // FileMaker Server Web Publishing Engine.
+    // the FileMaker Server Web Publishing Engine back-end. This setting is
+    // relevant only when the database hostspec is using https.
     // Check http://www.restfm.com/restfm-manual/install/ssl-troubleshooting
     // for further details.
     'strictSSLCertsFMS' => TRUE,
 
     // Enforce strict SSL certificate checking for RESTfm connecting to
-    // itself when executing the report page (report.php).
+    // itself when executing the diagnostics report page (report.php). This
+    // setting is used only in determining if clients are able to connect to
+    // the RESTfm front-end.
     // Check http://www.restfm.com/restfm-manual/install/ssl-troubleshooting
     // for further details.
     'strictSSLCertsReport' => TRUE,
@@ -77,6 +80,7 @@ $config['database'] = array (
     // If server is localhost, hostspec should be http://127.0.0.1
     // not http://localhost for speed reasons according to
     // FileMaker/conf/filemaker-api.php
+    // It is not necessary to use https with 127.0.0.1
     //'hostspec' => 'http://example.com',
     //'hostspec' => 'https://example.com',
     //'hostspec' => 'http://example.com:8081',

diff --git a/lib/RESTfm/Diagnostics.php b/lib/RESTfm/Diagnostics.php
@@ -286,7 +286,8 @@ public function test_webserverRedirect($reportItem) {
         if (curl_errno($ch)) {
             $reportItem->status = ReportItem::ERROR;
             $reportItem->details .=  'cURL failed with error: ' . curl_errno($ch) . ': ' . curl_error($ch) . "\n";
-            if (curl_errno($ch) == 60) {    // SSL certificate problem: self signed certificate
+            if (curl_errno($ch) == 60 ||        // SSL certificate problem: self signed certificate
+                    curl_errno($ch) == 51) {    // OSX 'certificate verification failed (result: 5)'
                 $reportItem->details .= "\n";
                 $reportItem->details .= 'The host\'s SSL certificate has failed a verification check. This may be' . "\n";
                 $reportItem->details .= 'due to the certificate being invalid, or PHP\'s CA root certificates' . "\n";
@@ -297,6 +298,16 @@ public function test_webserverRedirect($reportItem) {
                                         ' in the RESTfm manual for further details.' . "\n";
                 $reportItem->details .= "\n";
                 $reportItem->details .= 'It is possible to disable this check by setting "strictSSLCertsReport" to FALSE in ' . RESTfmConfig::CONFIG_INI ."\n";
+            } elseif (curl_errno($ch) == 35 && strpos(curl_error($ch), 'CA certificate set, but certificate verification is disabled') !== FALSE) {
+                // OSX Secure Transport bug.
+                $reportItem->details .= "\n";
+                $reportItem->details .= 'Unable to disable strict SSL certificate checking in ' . RESTfmConfig::CONFIG_INI . ' (\'strictSSLCertsReport\' => FALSE)' ."\n";
+                $reportItem->details .= 'while curl.cainfo is set in php.ini due to a compatibility bug in Apple\'s OS X Secure Transport library.' . "\n";
+                $reportItem->details .= "\n";
+                $reportItem->details .= 'Please consult ' .
+                                        '<a target="_blank" href="http://www.restfm.com/restfm-manual/install/ssl-troubleshooting-os-x-secure-transport-bug">SSL Troubleshooting - OS X Secure Transport Bug</a>' .
+                                        ' in the RESTfm manual for a workaround.' . "\n";
+                $reportItem->details .= "\n";
             }
         } elseif ( strpos($result, 'RESTfm is not configured') ) {
             $reportItem->status = ReportItem::ERROR;
@@ -352,9 +363,10 @@ public function test_filemakerAPI($reportItem) {
         curl_setopt($ch, CURLOPT_HEADER, 0);
         curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 2);
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
-        // SSL certificates were checked in an earlier test.
-        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
-        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
+        if (RESTfmConfig::getVar('settings', 'strictSSLCertsReport') === FALSE) {
+            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
+            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
+        }
         curl_setopt($ch, CURLOPT_FRESH_CONNECT, TRUE);
         curl_setopt($ch, CURLOPT_FORBID_REUSE, TRUE);
         curl_setopt($ch, CURLOPT_USERAGENT, 'RESTfm Diagnostics');
@@ -413,7 +425,8 @@ public function test_filemakerConnect($reportItem) {
         if (curl_errno($ch)) {
             $reportItem->status = ReportItem::ERROR;
             $reportItem->details .=  'cURL failed with error: ' . curl_errno($ch) . ': ' . curl_error($ch) . "\n";
-            if (curl_errno($ch) == 60) {    // SSL certificate problem: self signed certificate in certificate chain
+            if (curl_errno($ch) == 60 ||        // SSL certificate problem: self signed certificate in certificate chain
+                    curl_errno($ch) == 51) {    // OSX 'certificate verification failed (result: 5)'
                 $reportItem->details .= "\n";
                 $reportItem->details .= 'The host\'s SSL certificate has failed a verification check. This may be' . "\n";
                 $reportItem->details .= 'due to the certificate being invalid, or PHP\'s CA root certificates' . "\n";
@@ -424,6 +437,16 @@ public function test_filemakerConnect($reportItem) {
                                         ' in the RESTfm manual for further details.' . "\n";
                 $reportItem->details .= "\n";
                 $reportItem->details .= 'It is possible to disable this check by setting "strictSSLCertsFMS" to FALSE in ' . RESTfmConfig::CONFIG_INI ."\n";
+            } elseif (curl_errno($ch) == 35 && strpos(curl_error($ch), 'CA certificate set, but certificate verification is disabled') !== FALSE) {
+                // OSX Secure Transport bug.
+                $reportItem->details .= "\n";
+                $reportItem->details .= 'Unable to disable strict SSL certificate checking in ' . RESTfmConfig::CONFIG_INI . ' (\'strictSSLCertsFMS\' => FALSE)' ."\n";
+                $reportItem->details .= 'while curl.cainfo is set in php.ini due to a compatibility bug in Apple\'s OS X Secure Transport library.' . "\n";
+                $reportItem->details .= "\n";
+                $reportItem->details .= 'Please consult ' .
+                                        '<a target="_blank" href="http://www.restfm.com/restfm-manual/install/ssl-troubleshooting-os-x-secure-transport-bug">SSL Troubleshooting - OS X Secure Transport Bug</a>' .
+                                        ' in the RESTfm manual for a workaround.' . "\n";
+                $reportItem->details .= "\n";
             }
         } elseif (stripos($result, 'FileMaker') === FALSE) {
             $reportItem->status = ReportItem::ERROR;
@@ -441,11 +464,12 @@ public function test_filemakerConnect($reportItem) {
 
         $FM = new FileMaker();
         $FM->setProperty('hostspec', $hostspec);
-        // SSL certificates were checked in an earlier test.
-        $FM->setProperty('curlOptions', array(
-                            CURLOPT_SSL_VERIFYPEER => FALSE,
-                            CURLOPT_SSL_VERIFYHOST => FALSE,
-                            ));
+        if (RESTfmConfig::getVar('settings', 'strictSSLCertsFMS') === FALSE) {
+            $FM->setProperty('curlOptions', array(
+                                CURLOPT_SSL_VERIFYPEER => FALSE,
+                                CURLOPT_SSL_VERIFYHOST => FALSE,
+                                ));
+        }
 
         $fileMakerResult = $FM->listDatabases();
         $unauthorised = FALSE;

diff --git a/lib/RESTfm/Version.php b/lib/RESTfm/Version.php
@@ -21,7 +21,7 @@
  * Version static class to hold release version.
  */
 class Version {
-    private static $_release     = '4.0.6';
+    private static $_release     = '4.0.7';
     private static $_revision    = '%%REVISION%%';
     private static $_protocol    = '5';     // Bump this when REST API changes.