Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:64380
Return-Path: <pierrick@webstart.fr>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 21970 invoked from network); 20 Dec 2012 15:57:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Dec 2012 15:57:24 -0000
Authentication-Results: pb1.pair.com header.from=pierrick@webstart.fr; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=pierrick@webstart.fr; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain webstart.fr from 74.125.82.182 cause and error)
X-PHP-List-Original-Sender: pierrick@webstart.fr
X-Host-Fingerprint: 74.125.82.182 mail-we0-f182.google.com  
Received: from [74.125.82.182] ([74.125.82.182:55185] helo=mail-we0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DB/B6-20281-26533D05 for <internals@lists.php.net>; Thu, 20 Dec 2012 10:57:24 -0500
Received: by mail-we0-f182.google.com with SMTP id u54so1625414wey.41
        for <internals@lists.php.net>; Thu, 20 Dec 2012 07:57:19 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:x-gm-message-state;
        bh=eFQVJE7Rt3wNP3V3ZX3yHCa1L+lc2jR3oaSs6+oxHDE=;
        b=VitY+wnCyL5WY4V1gt2axUpEA6l6tHKjZGxP9arFvPM7uuq7q0H3HlSOgM4hFz+lDU
         O6buvvfM2mM12DMIrkdZqA6tx/Xs0L6dwLC2UjTh3IXiiFKdkVw69eWMMUMObSEgK0o8
         8eQAWannnueT2r+i5KoIFr2lv/cjA8W/ozPZRB3wHgsBjSnOQuIEdMK0U5AekofFzbUK
         zIPVnTvFdm89fLEFKVDpzQ0AL02iLr5fp4hSgDijrW14AlkelYu324wYgZ15Ku62EQed
         J1e4K+/IdSeWPuyN8OEMshD0XLQsT1jkizYYnLfmfVtltW1lzO08rjbIZtJIeaK/8xtR
         P2tQ==
MIME-Version: 1.0
Received: by 10.194.123.105 with SMTP id lz9mr18461777wjb.43.1356019033231;
 Thu, 20 Dec 2012 07:57:13 -0800 (PST)
Received: by 10.180.98.226 with HTTP; Thu, 20 Dec 2012 07:57:12 -0800 (PST)
In-Reply-To: <CAMUwpuTnwp_Vd05rgibjYehiBYRxxuCJy0Rijw+gEjh6GEEEBA@mail.gmail.com>
References: <CAOfKkdRDLagLtxkqm6_5NQ-eKkE_aUN6fMMM4+siQjkEBwwwmQ@mail.gmail.com>
	<CAMUwpuTnwp_Vd05rgibjYehiBYRxxuCJy0Rijw+gEjh6GEEEBA@mail.gmail.com>
Date: Thu, 20 Dec 2012 10:57:12 -0500
Message-ID: <CAOfKkdS0WSF7GmMsXogWOTXf77gnOn1rLEat7K4bpofbKOH=2w@mail.gmail.com>
To: jpauli <jpauli@php.net>
Cc: Internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQmz7QCEF1P+HM3EFP9vQFvoC8k5I8lR/hPEU9ya5JAXIX0u7P8TwybqK1S6fh6C4nI0CwZ5
Subject: Re: [PHP-DEV] Changes in libcurl for CURLOPT_SSL_VERIFYHOST in 7.28.1
From: pierrick@webstart.fr (Pierrick Charron)

Hi Julien,

I think we need to trigger a notice to prevent users to write code
that may not work in future version even if it doesn't depend on our
changes but on libraries changes.

Maybe we could be more explicit and tell the user that the 1 value
will not be available as of libcurl 7.28.1 (I just hope that people
will not be confused on what is libcurl and what's the version of it).

Pierrick


On 20 December 2012 08:59, jpauli <jpauli@php.net> wrote:
> On Wed, Dec 19, 2012 at 5:35 AM, Pierrick Charron <pierrick@webstart.fr>
> wrote:
>>
>> Hi all,
>>
>> About 2 month ago, we had a discussion on this list about the fact
>> that CURLOPT_SSL_VERIFYHOST was most of the time used with a Boolean
>> value (true) instead of int values (0,1 or 2). This bad usage was
>> leading to some security issues. The result of this discussion was to
>> trigger a notice if someone tried to set the CURLOPT_SSL_VERIFYHOST to
>> true (boolean), and was committed to >= 5.4
>>
>> On November 20th, Daniel (the author of libcurl) released cURL 7.28.1
>> which no longer support the 1 value for CURLOPT_SSL_VERIFYHOST. This
>> change introduced some bugs as #63795 (you'll find the cause of the
>> bug in the comments).
>>
>> To fix this bug, and to minimize as much as possible the impact of
>> this change, I'm proposing to do the following changes in the libcurl
>> extension for future releases :
>>
>> When using libcurl < 7.28.1, if someone try to set
>> CURLOPT_SSL_VERIFYHOST to 1 (or true), set the value to 1, but trigger
>> a notice to inform that this value is deprecated.
>
>
> I dont know if it is the good way to deal with that. Does the PHP user have
> to be aware that
> the underlying libcurl is gonna change ? The deprecated message may let
> him think that in the next *PHP* version, the value will have disapeared,
> but in fact,
> its in the next *libcurl* version, regardless PHP version.
>
>>
>>
>> When using libcurl >= 7.28.1 if someone try to set
>> CURLOPT_SSL_VERIFYHOST to 1 (or true), set CURLOPT_SSL_VERIFYHOST to
>> 2, trigger a notice to inform the user that this value is no longer
>> supported as of libcurl 7.28.1 but keep returning true.
>
>
> Ok
>
>>
>>
>> Also, as stated by Remy in bug #63795, when PHP is built with
>> curl-wrappers, the context option "curl_verify_ssl_host" sets
>> CURLOPT_SSL_VERIFYHOST to 1. I would like to modify this code to set
>> CURLOPT_SSL_VERIFYHOST to 2. Since curl-wrappers is still marked as
>> experimental I don't think this will cause a lot of troubles.
>>
>> If you have any comment, please do, otherwise, I'll commit those
>> changes on Friday to all branches (including 5.3).
>
>
>
> Julien.P