Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:64379
Return-Path: <julienpauli@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 88236 invoked from network); 20 Dec 2012 14:00:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Dec 2012 14:00:11 -0000
Authentication-Results: pb1.pair.com smtp.mail=julienpauli@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=julienpauli@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.176 as permitted sender)
X-PHP-List-Original-Sender: julienpauli@gmail.com
X-Host-Fingerprint: 209.85.220.176 mail-vc0-f176.google.com  
Received: from [209.85.220.176] ([209.85.220.176:38499] helo=mail-vc0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0D/00-20281-AE913D05 for <internals@lists.php.net>; Thu, 20 Dec 2012 09:00:11 -0500
Received: by mail-vc0-f176.google.com with SMTP id fo13so3747420vcb.35
        for <internals@lists.php.net>; Thu, 20 Dec 2012 06:00:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=0s9yVSnnfdIvVkwlDlOoZ7/H0g7rT4YIJeKx89l6RJM=;
        b=VWEYvQAZwRLMNDVUJfc5aHRBtWtnDIgC351hjab45TmV8JOvLazBS4KJOObNCtemx2
         v8Pu9HnURoJfhH7Dxwq/oxnPn2B5xVpwdrnIWf1K1RnqZXjp3OWQqAJ924At0DL/cE1y
         Tc7x+rLhkQNBuD/cUn99dWaVrzofgb0EjlpLCw0TSptCKwklP5VP4kYImaR6BpSGau2z
         Ydnvqg/4bEtOqVicjXQ6toK9OsCMjSQdiMlJ8khUq85m40VjEGp1lV0KaPJbaOX3dRPO
         I5xiGlhdx3N9+p8ra0pAMcmNhmVt5RR0pkheVIhLP/R4u6KcyoKoJzABceC/Z32ONMlb
         H6oQ==
Received: by 10.221.10.72 with SMTP id oz8mr14502605vcb.36.1356012007595; Thu,
 20 Dec 2012 06:00:07 -0800 (PST)
MIME-Version: 1.0
Sender: julienpauli@gmail.com
Received: by 10.220.140.132 with HTTP; Thu, 20 Dec 2012 05:59:27 -0800 (PST)
In-Reply-To: <CAOfKkdRDLagLtxkqm6_5NQ-eKkE_aUN6fMMM4+siQjkEBwwwmQ@mail.gmail.com>
References: <CAOfKkdRDLagLtxkqm6_5NQ-eKkE_aUN6fMMM4+siQjkEBwwwmQ@mail.gmail.com>
Date: Thu, 20 Dec 2012 14:59:27 +0100
X-Google-Sender-Auth: J6OcdxS46Qt1bK9LOiiXg_cCwwE
Message-ID: <CAMUwpuTnwp_Vd05rgibjYehiBYRxxuCJy0Rijw+gEjh6GEEEBA@mail.gmail.com>
To: Pierrick Charron <pierrick@webstart.fr>
Cc: Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=bcaec54d4bde061d6104d1492607
Subject: Re: [PHP-DEV] Changes in libcurl for CURLOPT_SSL_VERIFYHOST in 7.28.1
From: jpauli@php.net (jpauli)

--bcaec54d4bde061d6104d1492607
Content-Type: text/plain; charset=ISO-8859-1

On Wed, Dec 19, 2012 at 5:35 AM, Pierrick Charron <pierrick@webstart.fr>wrote:

> Hi all,
>
> About 2 month ago, we had a discussion on this list about the fact
> that CURLOPT_SSL_VERIFYHOST was most of the time used with a Boolean
> value (true) instead of int values (0,1 or 2). This bad usage was
> leading to some security issues. The result of this discussion was to
> trigger a notice if someone tried to set the CURLOPT_SSL_VERIFYHOST to
> true (boolean), and was committed to >= 5.4
>
> On November 20th, Daniel (the author of libcurl) released cURL 7.28.1
> which no longer support the 1 value for CURLOPT_SSL_VERIFYHOST. This
> change introduced some bugs as #63795 (you'll find the cause of the
> bug in the comments).
>
> To fix this bug, and to minimize as much as possible the impact of
> this change, I'm proposing to do the following changes in the libcurl
> extension for future releases :
>
> When using libcurl < 7.28.1, if someone try to set
> CURLOPT_SSL_VERIFYHOST to 1 (or true), set the value to 1, but trigger
> a notice to inform that this value is deprecated.
>

I dont know if it is the good way to deal with that. Does the PHP user have
to be aware that
the underlying libcurl is gonna change ? The deprecated message may let
him think that in the next *PHP* version, the value will have disapeared,
but in fact,
its in the next *libcurl* version, regardless PHP version.


>
> When using libcurl >= 7.28.1 if someone try to set
> CURLOPT_SSL_VERIFYHOST to 1 (or true), set CURLOPT_SSL_VERIFYHOST to
> 2, trigger a notice to inform the user that this value is no longer
> supported as of libcurl 7.28.1 but keep returning true.
>

Ok


>
> Also, as stated by Remy in bug #63795, when PHP is built with
> curl-wrappers, the context option "curl_verify_ssl_host" sets
> CURLOPT_SSL_VERIFYHOST to 1. I would like to modify this code to set
> CURLOPT_SSL_VERIFYHOST to 2. Since curl-wrappers is still marked as
> experimental I don't think this will cause a lot of troubles.
>
> If you have any comment, please do, otherwise, I'll commit those
> changes on Friday to all branches (including 5.3).



Julien.P

--bcaec54d4bde061d6104d1492607--