Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:64351 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37455 invoked from network); 19 Dec 2012 04:35:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Dec 2012 04:35:20 -0000 Authentication-Results: pb1.pair.com header.from=pierrick@webstart.fr; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=pierrick@webstart.fr; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain webstart.fr from 74.125.82.47 cause and error) X-PHP-List-Original-Sender: pierrick@webstart.fr X-Host-Fingerprint: 74.125.82.47 mail-wg0-f47.google.com Received: from [74.125.82.47] ([74.125.82.47:35953] helo=mail-wg0-f47.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FB/60-33799-60441D05 for ; Tue, 18 Dec 2012 23:35:19 -0500 Received: by mail-wg0-f47.google.com with SMTP id dq11so699096wgb.14 for ; Tue, 18 Dec 2012 20:35:15 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :x-gm-message-state; bh=GilXnLzJ99pLjWV1xKY/d1jkwpgoRmPLYr77zNux75w=; b=OVesF7Yd6vhNJZM/aTjO5CBC4p2U9PyCJojQySVboANwcyyN/DBvUqWJQb+gD0pdmF GRQcZELSR3e2tl5SLLBQtlz+JM5qRUUmSbPQW9TIxRkZIfVKtjCDYifFsIOnJ4FViGZP u6y6+sD8NdmcUSjNn8lnjWv1APDezeAiJEX+zmmWqlN0APMiLs2dcDi3W07jmimhiydi EPbejfvhZy0y6vVS0dXiEoIAt9GLwsUi/VDL997XVihR+mroOyMIIg7c3ziKKiZxknWC dDekAGdjIrMAnPJouO9tJ/W1uTbCxfxjEOXqrZT1at8H7j57Uab7IuLTxfPmFNfxW3qp QKyA== MIME-Version: 1.0 Received: by 10.194.123.105 with SMTP id lz9mr8903507wjb.43.1355891715772; Tue, 18 Dec 2012 20:35:15 -0800 (PST) Received: by 10.180.98.226 with HTTP; Tue, 18 Dec 2012 20:35:15 -0800 (PST) Date: Tue, 18 Dec 2012 23:35:15 -0500 Message-ID: To: Internals Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQlxgtCuJ/W05qbzyrADt9RbdsCLvqrE4Gmk//0tgGWZQF8LgrwXVneqANxubxvAKCzzSKHW Subject: Changes in libcurl for CURLOPT_SSL_VERIFYHOST in 7.28.1 From: pierrick@webstart.fr (Pierrick Charron) Hi all, About 2 month ago, we had a discussion on this list about the fact that CURLOPT_SSL_VERIFYHOST was most of the time used with a Boolean value (true) instead of int values (0,1 or 2). This bad usage was leading to some security issues. The result of this discussion was to trigger a notice if someone tried to set the CURLOPT_SSL_VERIFYHOST to true (boolean), and was committed to >= 5.4 On November 20th, Daniel (the author of libcurl) released cURL 7.28.1 which no longer support the 1 value for CURLOPT_SSL_VERIFYHOST. This change introduced some bugs as #63795 (you'll find the cause of the bug in the comments). To fix this bug, and to minimize as much as possible the impact of this change, I'm proposing to do the following changes in the libcurl extension for future releases : When using libcurl < 7.28.1, if someone try to set CURLOPT_SSL_VERIFYHOST to 1 (or true), set the value to 1, but trigger a notice to inform that this value is deprecated. When using libcurl >= 7.28.1 if someone try to set CURLOPT_SSL_VERIFYHOST to 1 (or true), set CURLOPT_SSL_VERIFYHOST to 2, trigger a notice to inform the user that this value is no longer supported as of libcurl 7.28.1 but keep returning true. Also, as stated by Remy in bug #63795, when PHP is built with curl-wrappers, the context option "curl_verify_ssl_host" sets CURLOPT_SSL_VERIFYHOST to 1. I would like to modify this code to set CURLOPT_SSL_VERIFYHOST to 2. Since curl-wrappers is still marked as experimental I don't think this will cause a lot of troubles. If you have any comment, please do, otherwise, I'll commit those changes on Friday to all branches (including 5.3). Thanks Pierrick