Background: In PHP, turning on CURLOPT_SSL_VERIFYPEER and doing lots of requests end up leaving lots of copies of the CA bundle in memory (curl_close doesn't help). A workaround is using a minimal CA bundle, by pulling out the relevant CA certificate from /etc/pki/tls/certs/ca-bundle.crt and specifying the resulting path in CURLOPT_CAINFO.
Issue: The missing piece is how to integrate this automatically in the release process, so that it
- verifies that the host certificate is trusted and
- pulls out the CA certificate which was used to verify the host certificate into a separate file.
This is necessary to make sure that if the host changes their certificate provider (rare & unlikely) we can still easily change our bundle.
How can I do the last point reliably? openssl s_client -connect example.com:443 -showcerts shows neither the serial of the verifying certificate nor its full contents. The C/O/CN properties should obviously be unique in the CA bundle, but it seems brittle to rely on parsing that and I don't know how to reliably query (as opposed to adding brittleness by grepping) the CA bundle for a C/O/CN combination.
Relevant versions:
# php --version | head -n1
PHP 5.4.16 (cli) (built: Nov 6 2016 00:29:02)
# rpm -qi libcurl | grep ^Version
Version : 7.29.0
# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
# uname --kernel-name --kernel-release --kernel-version --processor
Linux 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24 UTC 2017 x86_64
