Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69227
Return-Path: <tjerk.meesters@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80726 invoked from network); 19 Sep 2013 09:01:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Sep 2013 09:01:05 -0000
Authentication-Results: pb1.pair.com header.from=tjerk.meesters@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tjerk.meesters@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.41 as permitted sender)
X-PHP-List-Original-Sender: tjerk.meesters@gmail.com
X-Host-Fingerprint: 209.85.216.41 mail-qa0-f41.google.com  
Received: from [209.85.216.41] ([209.85.216.41:45179] helo=mail-qa0-f41.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E0/C8-29009-05DBA325 for <internals@lists.php.net>; Thu, 19 Sep 2013 05:01:04 -0400
Received: by mail-qa0-f41.google.com with SMTP id cr7so3449708qab.0
        for <internals@lists.php.net>; Thu, 19 Sep 2013 02:01:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc:content-type;
        bh=1NRiYC0AzirklACCcMsTzEYfVUrULnJne3lgc5wiJ+8=;
        b=uFFai2EYEzx8BkCEFKgK2wsy15zqG0ptEFyTpaQtwkYxDc4lH0cOPg/+KGYH+6GzqW
         Plng+pVH5qH39W0Ua5oGon6w0ODzCeb1DsE6f92FtG/foAfuPEjEOFSVvXHxFeoacqEM
         3dmJntQaWTGapgp3meTK5ihBPjy/WMBHTHdyvCTneJd/GOIXcghvmja40ikg5k5jdzbZ
         VqDIzWr1YqtIJqgRj/rEltvZn6FtMzDdVAaFWgFA8+cUCt6ApEOd8tpGygA1B54csbfr
         WKuW5KDOoGuB5Kcawnx3P4M6lAV3XaH1X0RNma59wlHL61D3mfA3x6Mo8/EIIUKu2IE0
         9Y4A==
MIME-Version: 1.0
X-Received: by 10.49.47.84 with SMTP id b20mr853614qen.83.1379581261888; Thu,
 19 Sep 2013 02:01:01 -0700 (PDT)
Sender: tjerk.meesters@gmail.com
Received: by 10.49.61.227 with HTTP; Thu, 19 Sep 2013 02:01:01 -0700 (PDT)
In-Reply-To: <CAEZPtU7YjNksHLEyH9VzM-iDdpQmBeJkF-BHPkAajZjiQS5XBA@mail.gmail.com>
References: <CAH8MpnnTGD0xAwG1j9sh10EC6XzdscVRLbJzEMG6qWSBK5c17w@mail.gmail.com>
	<523A466C.4070903@gmail.com>
	<CAHMUw2HxcWgOBxiK=r4y6FgWF_Gkhgc6BgHxF_bgLLJG9RVxmQ@mail.gmail.com>
	<CAEZPtU7YjNksHLEyH9VzM-iDdpQmBeJkF-BHPkAajZjiQS5XBA@mail.gmail.com>
Date: Thu, 19 Sep 2013 17:01:01 +0800
X-Google-Sender-Auth: 6yuOipTkzt4HN0QHwavTOorMDlw
Message-ID: <CAHMUw2Gv=JdswmWVHCvp2S3WECVPEx4aWOQzF2yLMHaqJ5HK-g@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: johannes@schlueters.dot.de, addw@phcomp.dot.co.uk, 
	Daniel Lowrey <rdlowrey@gmail.com>, "internals@lists.php.net" <internals@lists.php.net>, 
	=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= <keisial@gmail.com>
Content-Type: multipart/alternative; boundary=047d7b33d3740dc2d404e6b8cb89
Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit
From: datibbaw@php.net (Tjerk Anne Meesters)

--047d7b33d3740dc2d404e6b8cb89
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 19, 2013 at 2:02 PM, Pierre Joye <pierre.php@gmail.com> wrote:

>
> On Sep 18, 2013 6:07 PM, "Tjerk Anne Meesters" <datibbaw@php.net> wrote:
> >
> > On Thu, Sep 19, 2013 at 8:33 AM, =C1ngel Gonz=E1lez <keisial@gmail.com>
> wrote:
> >
> > > On 16/09/13 15:58, Daniel Lowrey wrote:
> > >
> > >> More generally, PHP's stream encryption aspects are quite poorly
> > >> documented. For example, https:// streams disable peer verification
> by
> > >> default. While I understand that this is necessary to provide the
> easiest
> > >> possible user experience for things like `file_get_contents("
> > >> https://somesite.com")`, it's also horribly insecure. 99% of people
> using
> > >> tools like this won't know anything about this "feature" and won't
> realize
> > >> that their stream transfers are totally vulnerable to
> Man-in-the-Middle
> > >> attacks by default.
> > >>
> > > Count me as one of those that didn't know https:// streams didn't
> verify
> > > certificates. :)
> > > *I consider this a bug* I understand that it's easier to code not
> > > verifying the
> > > peer, and the hostname may not be available when you are stacking ssl
> over
> > > a stream.
> > > But file_get_contents("https://...**") is *precisely* the case that
> > > should work right
> > > out of the box.
> >
> >
> > To be practical, verifying certificates requires an up-to-date CA bundl=
e
> to
> > be shipped with PHP; perhaps this is a simple thing to do, I'm not sure=
.
> > This is an oft seen scenario for cURL; the developer would see the
> > certificate issue, search online and continue with `CURLOPT_VERIFY_PEER
> =3D>
> > 0`. That said, at least cURL is configured to check the certificate by
> > default.
> >
>
> FYI, curl allows to give the path to a cert db, it can be set in php.ini
> too (if I remember correctly)
>
Yes, I know that. This can also be done with the ca_file / ca_path context
options when you use streams. My point is that you need a reasonably
up-to-date certs bundle to enable verification by default.

It could be impractical to ship such a bundle with php itself, in which
case one might consider updating the documentation to highlight where such
cert bundles can be downloaded from.


--=20
--
Tjerk

--047d7b33d3740dc2d404e6b8cb89--