Expose setting CURLSSLOPT_NATIVE_CA as an option

getsentry · Sep 4, 2024 · 6d7038f · 6d7038f
1 parent aa207f5
commit 6d7038f
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 0 deletions.
diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon
@@ -125,6 +125,11 @@ parameters:
 			count: 1
 			path: src/Options.php
 
+		-
+			message: "#^Method Sentry\\\\Options\\:\\:getHttpSslNativeCa\\(\\) should return bool but returns mixed\\.$#"
+			count: 1
+			path: src/Options.php
+
 		-
 			message: "#^Method Sentry\\\\Options\\:\\:getHttpSslVerifyPeer\\(\\) should return bool but returns mixed\\.$#"
 			count: 1

diff --git a/src/HttpClient/HttpClient.php b/src/HttpClient/HttpClient.php
@@ -78,6 +78,17 @@ public function sendRequest(Request $request, Options $options): Response
             curl_setopt($curlHandle, \CURLOPT_SSL_VERIFYPEER, false);
         }
 
+        $httpSslNativeCa = $options->getHttpSslNativeCa();
+        if ($httpSslNativeCa) {
+            if (
+                \defined('CURLSSLOPT_NATIVE_CA')
+                && isset(curl_version()['version'])
+                && version_compare(curl_version()['version'], '7.71', '>=')
+            ) {
+                curl_setopt($curlHandle, \CURLOPT_SSL_OPTIONS, \CURLSSLOPT_NATIVE_CA);
+            }
+        }
+
         $httpProxy = $options->getHttpProxy();
         if ($httpProxy !== null) {
             curl_setopt($curlHandle, \CURLOPT_PROXY, $httpProxy);

diff --git a/src/Options.php b/src/Options.php
@@ -942,6 +942,20 @@ public function setHttpSslVerifyPeer(bool $httpSslVerifyPeer): self
         return $this;
     }
 
+    public function getHttpSslNativeCa(): bool
+    {
+        return $this->options['http_ssl_native_ca'];
+    }
+
+    public function setHttpSslNativeCa(bool $httpSslNativeCa): self
+    {
+        $options = array_merge($this->options, ['http_ssl_native_ca' => $httpSslNativeCa]);
+
+        $this->options = $this->resolver->resolve($options);
+
+        return $this;
+    }
+
     /**
      * Returns whether the requests should be compressed using GZIP or not.
      */
@@ -1139,6 +1153,7 @@ private function configureOptions(OptionsResolver $resolver): void
             'http_connect_timeout' => self::DEFAULT_HTTP_CONNECT_TIMEOUT,
             'http_timeout' => self::DEFAULT_HTTP_TIMEOUT,
             'http_ssl_verify_peer' => true,
+            'http_ssl_native_ca' => false,
             'http_compression' => true,
             'capture_silenced_errors' => false,
             'max_request_body_size' => 'medium',

diff --git a/tests/OptionsTest.php b/tests/OptionsTest.php
@@ -362,6 +362,13 @@ static function (): void {},
             'setHttpSslVerifyPeer',
         ];
 
+        yield [
+            'http_ssl_native_ca',
+            true,
+            'getHttpSslNativeCa',
+            'setHttpSslNativeCa',
+        ];
+
         yield [
             'http_compression',
             false,