Disable certificate verification in PHP SoapClient

MW. picture MW. · Dec 9, 2011 · Viewed 85.4k times · Source

Summary:
Is there a way to force the built in SoapClient-class in PHP to connect over HTTPS to a server with an invalid certificate?

Why would I want to do that?
I have deployed a new application on a server that has no DNS entry or certificate yet. I want to try connecting to it with a SoapClient before setting up the DNS entry and fixing the certificate, and the most reasonable way to do this seems to be to just make the client ignore the certificate during testing.

Don't I realise that this is a huge security risk?
This is only for testing. When the service goes into production, there will be a valid certificate in place, and the client will be forced to validate it.

Answer

Kaii picture Kaii · Dec 9, 2011

SoapClient takes a stream context in its parameters, which you can create yourself. That way you can control almost every aspect of the transport layer:

$context = stream_context_create([
    'ssl' => [
        // set some SSL/TLS specific options
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    ]
]);

$client  = new SoapClient(null, [
    'location' => 'https://...',
    'uri' => '...', 
    'stream_context' => $context
]);

Documentation: