Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:64414
Return-Path: <pierrick@webstart.fr>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 15499 invoked from network); 22 Dec 2012 00:54:19 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Dec 2012 00:54:19 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierrick@webstart.fr; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=pierrick@webstart.fr; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain webstart.fr from 74.125.82.181 cause and error)
X-PHP-List-Original-Sender: pierrick@webstart.fr
X-Host-Fingerprint: 74.125.82.181 mail-we0-f181.google.com  
Received: from [74.125.82.181] ([74.125.82.181:47802] helo=mail-we0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FF/E7-05505-7B405D05 for <internals@lists.php.net>; Fri, 21 Dec 2012 19:54:18 -0500
Received: by mail-we0-f181.google.com with SMTP id t11so2434872wey.40
        for <internals@lists.php.net>; Fri, 21 Dec 2012 16:54:13 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:x-gm-message-state;
        bh=XL4pi6hN4T0MhLZmZ4MRunRW1i34wMYgaayofejG93M=;
        b=lKosQkB6+nduyzmKGnBnA/6av14s0mF3fBP63FYC09WzVvsJuKHe84RdcmbEzTMU6l
         jjaWKb94KahPNyvc5t9HLxKFyJSiuZ4jssbQqwZ2t4D81ee8WCWSX9ReC5znJ3EFU4oV
         M/uvxw2VpApa601sYnYAl0FpL6FhgRQeY2DOLokWVxrVSsNTPDIh1qiSFnpC/AYYCWvg
         8Ibz9GGkrDP6AbG2UX5XhDtDUVXs47tftrQnerWLGmL/dx24SQxlKQ/N2H2TrqIcO1LZ
         CWVaEupHVVTre2f/UjGzPYK3KDSjTOLD9k9pCnvwn3H+DaXliScudUQ64m80iFTI3akr
         JdwQ==
MIME-Version: 1.0
Received: by 10.194.123.105 with SMTP id lz9mr26508445wjb.43.1356137653274;
 Fri, 21 Dec 2012 16:54:13 -0800 (PST)
Received: by 10.180.98.226 with HTTP; Fri, 21 Dec 2012 16:54:13 -0800 (PST)
In-Reply-To: <CAOfKkdRDLagLtxkqm6_5NQ-eKkE_aUN6fMMM4+siQjkEBwwwmQ@mail.gmail.com>
References: <CAOfKkdRDLagLtxkqm6_5NQ-eKkE_aUN6fMMM4+siQjkEBwwwmQ@mail.gmail.com>
Date: Fri, 21 Dec 2012 19:54:13 -0500
Message-ID: <CAOfKkdR5kxPWxoUpqaybbM6kJUwMHN1G5cU04q65oYN9+OXv=w@mail.gmail.com>
To: Internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQkLxk73OwB3nVNWiyBIPtYFGYIuYs4glf332r7sw1UEnd7cbdXee7fe2Gi474xxTi8hsWPn
Subject: Re: Changes in libcurl for CURLOPT_SSL_VERIFYHOST in 7.28.1
From: pierrick@webstart.fr (Pierrick Charron)

The following solution was implemented :

https://github.com/php/php-src/commit/517f800277a11d6ce05b0e1afcd0e76dc544d452

Pierrick

On 18 December 2012 23:35, Pierrick Charron <pierrick@webstart.fr> wrote:
> Hi all,
>
> About 2 month ago, we had a discussion on this list about the fact
> that CURLOPT_SSL_VERIFYHOST was most of the time used with a Boolean
> value (true) instead of int values (0,1 or 2). This bad usage was
> leading to some security issues. The result of this discussion was to
> trigger a notice if someone tried to set the CURLOPT_SSL_VERIFYHOST to
> true (boolean), and was committed to >= 5.4
>
> On November 20th, Daniel (the author of libcurl) released cURL 7.28.1
> which no longer support the 1 value for CURLOPT_SSL_VERIFYHOST. This
> change introduced some bugs as #63795 (you'll find the cause of the
> bug in the comments).
>
> To fix this bug, and to minimize as much as possible the impact of
> this change, I'm proposing to do the following changes in the libcurl
> extension for future releases :
>
> When using libcurl < 7.28.1, if someone try to set
> CURLOPT_SSL_VERIFYHOST to 1 (or true), set the value to 1, but trigger
> a notice to inform that this value is deprecated.
>
> When using libcurl >= 7.28.1 if someone try to set
> CURLOPT_SSL_VERIFYHOST to 1 (or true), set CURLOPT_SSL_VERIFYHOST to
> 2, trigger a notice to inform the user that this value is no longer
> supported as of libcurl 7.28.1 but keep returning true.
>
> Also, as stated by Remy in bug #63795, when PHP is built with
> curl-wrappers, the context option "curl_verify_ssl_host" sets
> CURLOPT_SSL_VERIFYHOST to 1. I would like to modify this code to set
> CURLOPT_SSL_VERIFYHOST to 2. Since curl-wrappers is still marked as
> experimental I don't think this will cause a lot of troubles.
>
> If you have any comment, please do, otherwise, I'll commit those
> changes on Friday to all branches (including 5.3).
>
> Thanks
> Pierrick