mailchimp-api icon indicating copy to clipboard operation
mailchimp-api copied to clipboard

Published 20 hours ago verified publisher icon drewm

SSL verification failure does not get reported by getLastError

Open tbar0970 opened this issue 7 years ago • 2 comments

As is commonly the case, my PHP setup doesn't have the proper intermediate certs etc, so my first test of mailchimp-api failed. Eventually I figured out why.

Looking at Mailchimp.php line 252 I was expecting that the CURL error message that explains the problem would end up in $this->last_error and be reported back via getLastError()

$this->last_error = curl_error($ch);

However it seems that it gets overwritten by a generic error message at line 398 (near the end of determineSuccess()). Commenting this out meant I started seeing the CURL error as expected.

       // $this->last_error = 'Unknown error, call getLastResponse() to find out what happened.';

So my suggestion is that determineSuccess shouldn't overwrite last_error since it might have some useful error info from CURL in it.

tbar0970 avatar Jul 02 '17 11:07 tbar0970

Also it would be great if the class had a method to set the cacert.pem file location so that makeRequest() would automatically add the corresponding CURLOPT_CAINFO flag if the path is set.

biohzrdmx avatar Aug 08 '17 16:08 biohzrdmx

Hi, I also think this is a major problem because the actual behavior simply hides the clear SSL certificate error returned by CURL.

I just passed several hours reviewing the source code of one of our developers to find the problem came from this SSL certificate problem :(

The proposition of @tbar0970 of not replacing the last error variable seems good to me.

Also, as @biohzrdmx we would like to be able to set the SSL certificate path manually instead of using the global php.ini curl.cainfo variable (see https://snippets.webaware.com.au/howto/stop-turning-off-curlopt_ssl_verifypeer-and-fix-your-php-config/).

This is because in our case injecting the certificate files inside our application package is far less risky than updating all our servers configuration.

We developed an other API based on CURL which allows developers to easily configure additional CURL options on the API client.

Perhaps the concepts applied in this API can be copied inside the Mailchimp API client source code.

The principle is simple, we allow the developer to set additional CURL options, then at request time those additional CURL options are merged with default ones.

The useful lines are the following.

  • https://github.com/gomoob/php-pushwoosh/blob/master/src/main/php/Gomoob/Pushwoosh/Client/CURLClient.php#L28
  • https://github.com/gomoob/php-pushwoosh/blob/master/src/main/php/Gomoob/Pushwoosh/Client/CURLClient.php#L163
  • https://github.com/gomoob/php-pushwoosh/blob/master/src/main/php/Gomoob/Pushwoosh/Client/CURLClient.php#L230
  • https://github.com/gomoob/php-pushwoosh/blob/master/src/main/php/Gomoob/Pushwoosh/Client/CURLClient.php#L102

Hope this helps.

bgaillard avatar Jan 02 '18 18:01 bgaillard