Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69223
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 68485 invoked from network); 19 Sep 2013 06:03:00 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Sep 2013 06:03:00 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.181 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.217.181 mail-lb0-f181.google.com  
Received: from [209.85.217.181] ([209.85.217.181:45600] helo=mail-lb0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2E/96-29009-3939A325 for <internals@lists.php.net>; Thu, 19 Sep 2013 02:02:59 -0400
Received: by mail-lb0-f181.google.com with SMTP id u14so7559468lbd.12
        for <internals@lists.php.net>; Wed, 18 Sep 2013 23:02:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=0gmRaYiy0HoL3rC1l+zBaMVW4DfZ9E/dZOngNQewAPM=;
        b=Vnjsmhx9W512X2ivvjeMHNV3ALciiBAvcdqc27E3ptckhN15pT6mPZp2tb5lAt8Dlt
         UlRIvQ8JQwzASALEj9+5VLLoyk4f3rPM92zv0EExidZruNrBYcIw7s/ZmsCpqbyqDok+
         9shKh8BVUtCpwX36WXOTnGPSfzaXUSUBRmBo5ItAlKk9NeD97OU7HY6dm36tBlwAK3nT
         nYMe/kBqWA4KZMRkybrCq8F+MVuGZZCs1xa2YeYONiT4kYdZZl0w0MPDhmDt+doowjb8
         ALX12MhRtlZDH+9NpHsNT6TYPsg2PkIxrbszG33XSfEwWDfCMagriVIhqYHmWRJSUux/
         bMRg==
MIME-Version: 1.0
X-Received: by 10.112.126.37 with SMTP id mv5mr532137lbb.20.1379570576283;
 Wed, 18 Sep 2013 23:02:56 -0700 (PDT)
Received: by 10.112.148.138 with HTTP; Wed, 18 Sep 2013 23:02:56 -0700 (PDT)
Received: by 10.112.148.138 with HTTP; Wed, 18 Sep 2013 23:02:56 -0700 (PDT)
In-Reply-To: <CAHMUw2HxcWgOBxiK=r4y6FgWF_Gkhgc6BgHxF_bgLLJG9RVxmQ@mail.gmail.com>
References: <CAH8MpnnTGD0xAwG1j9sh10EC6XzdscVRLbJzEMG6qWSBK5c17w@mail.gmail.com>
	<523A466C.4070903@gmail.com>
	<CAHMUw2HxcWgOBxiK=r4y6FgWF_Gkhgc6BgHxF_bgLLJG9RVxmQ@mail.gmail.com>
Date: Wed, 18 Sep 2013 23:02:56 -0700
Message-ID: <CAEZPtU7YjNksHLEyH9VzM-iDdpQmBeJkF-BHPkAajZjiQS5XBA@mail.gmail.com>
To: Tjerk Anne Meesters <datibbaw@php.net>
Cc: johannes@schlueters.dot.de, addw@phcomp.dot.co.uk, 
	Daniel Lowrey <rdlowrey@gmail.com>, "internals@lists.php.net" <internals@lists.php.net>, 
	=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= <keisial@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c373e424610a04e6b64e95
Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit
From: pierre.php@gmail.com (Pierre Joye)

--001a11c373e424610a04e6b64e95
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Sep 18, 2013 6:07 PM, "Tjerk Anne Meesters" <datibbaw@php.net> wrote:
>
> On Thu, Sep 19, 2013 at 8:33 AM, =C1ngel Gonz=E1lez <keisial@gmail.com> w=
rote:
>
> > On 16/09/13 15:58, Daniel Lowrey wrote:
> >
> >> More generally, PHP's stream encryption aspects are quite poorly
> >> documented. For example, https:// streams disable peer verification by
> >> default. While I understand that this is necessary to provide the
easiest
> >> possible user experience for things like `file_get_contents("
> >> https://somesite.com")`, it's also horribly insecure. 99% of people
using
> >> tools like this won't know anything about this "feature" and won't
realize
> >> that their stream transfers are totally vulnerable to Man-in-the-Middl=
e
> >> attacks by default.
> >>
> > Count me as one of those that didn't know https:// streams didn't verif=
y
> > certificates. :)
> > *I consider this a bug* I understand that it's easier to code not
> > verifying the
> > peer, and the hostname may not be available when you are stacking ssl
over
> > a stream.
> > But file_get_contents("https://...**") is *precisely* the case that
> > should work right
> > out of the box.
>
>
> To be practical, verifying certificates requires an up-to-date CA bundle
to
> be shipped with PHP; perhaps this is a simple thing to do, I'm not sure.
> This is an oft seen scenario for cURL; the developer would see the
> certificate issue, search online and continue with `CURLOPT_VERIFY_PEER =
=3D>
> 0`. That said, at least cURL is configured to check the certificate by
> default.
>

FYI, curl allows to give the path to a cert db, it can be set in php.ini
too (if I remember correctly)

--001a11c373e424610a04e6b64e95--