Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63696
Return-Path: <hannes.magnusson@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 70780 invoked from network); 29 Oct 2012 00:42:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 Oct 2012 00:42:01 -0000
Authentication-Results: pb1.pair.com header.from=hannes.magnusson@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=hannes.magnusson@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender)
X-PHP-List-Original-Sender: hannes.magnusson@gmail.com
X-Host-Fingerprint: 209.85.215.42 mail-la0-f42.google.com  
Received: from [209.85.215.42] ([209.85.215.42:61502] helo=mail-la0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 22/40-65462-9D0DD805 for <internals@lists.php.net>; Sun, 28 Oct 2012 19:42:01 -0500
Received: by mail-la0-f42.google.com with SMTP id e6so3776869lah.29
        for <internals@lists.php.net>; Sun, 28 Oct 2012 17:41:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=VxWwl0Go/YQHKP/iQYz56EzSqH7H2XjGRZv8y05QiPs=;
        b=SU2nfi8lDS0l5TA1zNcZExp1jwHO/AP4U2gRtHwu+0A2Wfw4HZPH3BZ8dPMEsNTdwx
         RWucQmOXeg6SxRIslsllwYEDFxs4ldktgY3uBhd5t8H7J7FRVhGePZnbccFEit5dBnfm
         wR1i9ScAZ4HTPI7Igu56mLMu42LdjW4DL5uvSFmGZSkTWoO108xmAvdPFds77J1sa02Y
         aU4XBNuwHXXTsE44c6/6jbloJFVVQ2ohtY2WWEA34iF18lEs2OQfhhtn3jP3aGSK+DKj
         U5prdm5AiCYCIuKqxknd8CJ8RgipeYecsjeDE+5ZxRP5j2z99jlJulGWiVwGNy3i0qd5
         3klg==
MIME-Version: 1.0
Received: by 10.112.82.8 with SMTP id e8mr11115387lby.19.1351471318074; Sun,
 28 Oct 2012 17:41:58 -0700 (PDT)
Received: by 10.114.4.163 with HTTP; Sun, 28 Oct 2012 17:41:58 -0700 (PDT)
In-Reply-To: <CAB75mSVg10VURjFmOhNQk87CqVP9FOQmcSzzgfMUTEb6S7WvxQ@mail.gmail.com>
References: <CAB75mSX-cMqZPTfv2vc8fakD_pr31qPR+kO5_O=zYiVoy4xH2w@mail.gmail.com>
	<CAL+t6cF=e_55=v9bZVy7Tv=V3M4CUQLueu=b5Efa+MD0ewG_qA@mail.gmail.com>
	<CAB75mSVg10VURjFmOhNQk87CqVP9FOQmcSzzgfMUTEb6S7WvxQ@mail.gmail.com>
Date: Sun, 28 Oct 2012 17:41:58 -0700
Message-ID: <CADNQb0UFoKViurdNKBEa7TSqgtbfo_14eCMLQAWFjAB6M8+-Sg@mail.gmail.com>
To: JJ <jawed@php.net>
Cc: Sherif Ramadan <theanomaly.is@gmail.com>, internals@lists.php.net
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Changing the default value of "true" for CURLOPT_SSL_VERIFYHOST
From: hannes.magnusson@gmail.com (Hannes Magnusson)

On Wed, Oct 24, 2012 at 10:46 PM, JJ <jawed@php.net> wrote:
> On Wed, Oct 24, 2012 at 10:34 PM, Sherif Ramadan
> <theanomaly.is@gmail.com> wrote:
>> I understand there are people out there that don't read the
>> documentation and aren't aware of the difference between
>> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); and curl_setopt($ch,
>> CURLOPT_SSL_VERIFYHOST, true); but still... I don't think this is a
>> good idea either.
>
> I highly doubt code that sets CURLOPT_SSL_VERIFYHOST => true meant to
> imply CURLOPT_SSL_VERIFYHOST => 1...which essentially bypasses host
> verification.
>
> According to libcurl, CURLOPT_SSL_VERIFYHOST => 1 is "not ordinarily a
> useful setting".


The curl stream wrapper sets this option to 1 when using the
curl_verify_ssl_host context option.
I imagine that should be fixed too then?

-Hannes