Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63615
Return-Path: <inefedor@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 68234 invoked from network); 25 Oct 2012 06:59:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Oct 2012 06:59:04 -0000
Authentication-Results: pb1.pair.com smtp.mail=inefedor@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=inefedor@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender)
X-PHP-List-Original-Sender: inefedor@gmail.com
X-Host-Fingerprint: 209.85.215.42 mail-la0-f42.google.com  
Received: from [209.85.215.42] ([209.85.215.42:32919] helo=mail-la0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 3C/51-59506-733E8805 for <internals@lists.php.net>; Thu, 25 Oct 2012 02:59:03 -0400
Received: by mail-la0-f42.google.com with SMTP id e6so1158748lah.29
        for <internals@lists.php.net>; Wed, 24 Oct 2012 23:59:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=content-type:to:cc:subject:references:date:mime-version
         :content-transfer-encoding:from:message-id:in-reply-to:user-agent;
        bh=M0C70WY9jqyvh6SaK7wG4WN2/rHT7Dmm90iF/YI9gDM=;
        b=ZaTmZjhbe4Jd3MYRJE3fcN0Zivj0dOfFCeZPYnAL5DFtIV8noqM+jZHXCcM3wgwm5B
         Oz4fPsjHLEV7x6o0gFS1fWGeI5oSo3WWNPWxKgR2lL8tP/AyWpVKN82uzs53G6uSllr6
         NxR0p0zAIwiqMh9GZ1X5yy5Wk+YKO4nnlujJRhZauPcG1Ej9hBe3XOedAfWQonv/6INb
         dI+3Zi4l4ipNoT4Z7nG3G8Hv/+/9Mm9gLsY2amRvwKuM+9WMjw3ePukua85pZz47wr45
         Dv6+34YYAXxMIRw4FLRq2jzN2ss6oFeICvEdKsOMQKXYSW2GhMWfGWdStHcNTmVqtmUP
         gwiA==
Received: by 10.152.106.212 with SMTP id gw20mr16635069lab.8.1351148340072;
        Wed, 24 Oct 2012 23:59:00 -0700 (PDT)
Received: from debian-nnefedov.local ([46.38.35.218])
        by mx.google.com with ESMTPS id sy1sm5574123lab.16.2012.10.24.23.58.58
        (version=TLSv1/SSLv3 cipher=OTHER);
        Wed, 24 Oct 2012 23:58:59 -0700 (PDT)
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
To: JJ <jawed@php.net>, "Adam Harvey" <aharvey@php.net>
Cc: "Sherif Ramadan" <theanomaly.is@gmail.com>, internals@lists.php.net
References: <CAB75mSX-cMqZPTfv2vc8fakD_pr31qPR+kO5_O=zYiVoy4xH2w@mail.gmail.com> <CAL+t6cF=e_55=v9bZVy7Tv=V3M4CUQLueu=b5Efa+MD0ewG_qA@mail.gmail.com> <CAB75mSVg10VURjFmOhNQk87CqVP9FOQmcSzzgfMUTEb6S7WvxQ@mail.gmail.com> <CADajX4ALHEzXDQQuqwjiOx5bdgUVG+4pXGAJ_Unano3z9S5ZSQ@mail.gmail.com>
Date: Thu, 25 Oct 2012 10:59:26 +0400
MIME-Version: 1.0
Content-Transfer-Encoding: Quoted-Printable
Message-ID: <op.wmp21cr6c9evq2@debian-nnefedov.local>
In-Reply-To: <CADajX4ALHEzXDQQuqwjiOx5bdgUVG+4pXGAJ_Unano3z9S5ZSQ@mail.gmail.com>
User-Agent: Opera Mail/12.02 (Linux)
Subject: Re: [PHP-DEV] Changing the default value of "true" for
 CURLOPT_SSL_VERIFYHOST
From: inefedor@gmail.com ("Nikita Nefedov")

CURLOPT_SSL_VERIFYHOST - this option just sounds like "should I verify  =

host?", when it must sound like "what verifying strategy should I use?"

On Thu, 25 Oct 2012 10:19:24 +0400, Adam Harvey <aharvey@php.net> wrote:=


> On 25 October 2012 13:46, JJ <jawed@php.net> wrote:
>> On Wed, Oct 24, 2012 at 10:34 PM, Sherif Ramadan
>> <theanomaly.is@gmail.com> wrote:
>>> I understand there are people out there that don't read the
>>> documentation and aren't aware of the difference between
>>> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); and curl_setopt($ch,
>>> CURLOPT_SSL_VERIFYHOST, true); but still... I don't think this is a
>>> good idea either.
>>
>> I highly doubt code that sets CURLOPT_SSL_VERIFYHOST =3D> true meant =
to
>> imply CURLOPT_SSL_VERIFYHOST =3D> 1...which essentially bypasses host=

>> verification.
>
> They may have, even in spite of it being a bad idea, since that's how
> boolean =E2=86=92 integer conversion works in PHP. I don't think we ca=
n assume
> that every single person who's written that line of code didn't check
> whether CURLOPT_SSL_VERIFYHOST was a boolean or integer option.
>
>> According to libcurl, CURLOPT_SSL_VERIFYHOST =3D> 1 is "not ordinaril=
y a
>> useful setting".
>
> I agree, but I don't think we can start arbitrarily changing well
> defined type conversion behaviour for one corner case. The
> CURLOPT_SSL_VERIFYHOST option has been documented as expecting integer=

> 0, 1 or 2 since at least April 2002 (and probably quite a bit earlier
> than that), complete with the meanings of each value =E2=80=94 there's=
 only so
> much we can do to protect developers from themselves. (In fairness,
> the wording strongly recommending using option 2 only came in last
> August thanks to Ilia, but nobody should have been treating the option=

> as a boolean option to start with.)
>
> Fundamentally, it's a bad API on the part of curl, but that's a
> separate issue. There's nothing stopping somebody proposing a saner
> API on top of libcurl (as Anthony did recently with the password
> hashing API atop crypt()).
>
> In summary, I'm against changing ext/curl here.
>
> I do have a couple of specific comments on elements of the patch
> itself in the event that the changed behaviour is wanted, but I'll
> post those on GitHub, since it's probably a better UI for that sort of=

> granular discussion.
>
> Adam
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php