doesn't honour curl.cainfo setting

[davidegiunchidiennea]

We are using a firewall that does Deep Packet Inspection, so it uses an internal custom CA and every client must import this CA to the trusted ca list, or every https request will fail.
Now when i run:
wp-cli core download
i get the error:

Error: Failed to get url 'https://api.wordpress.org/core/version-check/1.6/?locale=en_US': cURL error 60: Peer's certificate issuer has been marked as not trusted by the user..

I've dowloaded the offial cacert.pem:
http://curl.haxx.se/ca/cacert.pem
appended our CA, and modified php.ini by adding:
curl.cainfo = /etc/curl-cacert.pem

now every php https curl call works good, even curl via command line, but not wp-cli!
with wp-cli I continue to receive the same error, why?
maybe wp-cli dosn't use the curl.cainfo setting?

i've tried even:
echo "cacert /etc/curl-cacert.pem" >> ~/.curlrc
but it still doesn't work.

Here it's some info about my envirnment:

OS: Linux 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018 x86_64
Shell:
PHP binary: /usr/bin/php
PHP version: 7.2.16
php.ini used: /etc/php.ini
WP-CLI root dir: phar://wp-cli.phar/vendor/wp-cli/wp-cli
WP-CLI vendor dir: phar://wp-cli.phar/vendor
WP_CLI phar path: /tmp
WP-CLI packages dir: /root/.wp-cli/packages/
WP-CLI global config: /root/.wp-cli/config.yml
WP-CLI project config:
WP-CLI version: 2.1.0

[schlessera]

As far as I know, this should already be handled by the Requests library that is included with WordPress Core.

@rmccue Do you have any immediate pointers what could be the issue here? As far as I can see in the code, Requests does seem to check the CURLOPT_CAINFO option.

[WhiteWinterWolf]

Same issue here.

As per my understanding, the issue lies in the http_request() function which forces the underlying Requests to use a hardcoded cacert.pem file bundled within WP-Cli, instead of using system or user-provided files.

I see that WP-Cli already ships CaBundle which does a very nice job at this. Maybe WP-Cli should use it to first attempt to rely on standard, customizable CA certificates location, and only use the hardcoded file as fallback ?

[WhiteWinterWolf]

I proposed the following fix for this issue in my pull request #5514:

• When the curl.cainfo PHP setting is set, its value is considered as compulsory and no other CA is checked.
• The same way, if a caller of the http_request() function explicitly sets the options['verify'] argument, I also consider this as compulsory.
• Otherwise, by default, http_request():
  • First, attempts to rely on system-wide certificate authorities, as expected with any TLS client software,
  • Then, if the certificate chain validation fails, it fallbacks on the embedded cacert.pem file.

Main changes from a user perspective:

• If a custom CA is configured on the host running WP-CLI, it will now automatically be taken into account by default.
• If an administrator mandates the use of a specific trusted CA file through the curl.cainfo PHP setting, this will override any other CA found on the system or within the WP-CLI Phar file.