Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69235
Return-Path: <adam@adamharvey.name>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79789 invoked from network); 19 Sep 2013 21:41:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Sep 2013 21:41:43 -0000
Authentication-Results: pb1.pair.com smtp.mail=adam@adamharvey.name; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=adam@adamharvey.name; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain adamharvey.name designates 209.85.223.181 as permitted sender)
X-PHP-List-Original-Sender: adam@adamharvey.name
X-Host-Fingerprint: 209.85.223.181 mail-ie0-f181.google.com  
Received: from [209.85.223.181] ([209.85.223.181:40599] helo=mail-ie0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 33/91-03567-59F6B325 for <internals@lists.php.net>; Thu, 19 Sep 2013 17:41:42 -0400
Received: by mail-ie0-f181.google.com with SMTP id tp5so16799779ieb.12
        for <internals@lists.php.net>; Thu, 19 Sep 2013 14:41:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=adamharvey.name; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type:content-transfer-encoding;
        bh=yfA+vOPne+su0brUPPiSYnZHpZ9MEUpIqSlAEWJb46w=;
        b=fe3McsqGgBFTE5bnyl21VKwmRDosxQ631zwXMZsPn7MpUI+xtitOy8yWyHThh3c0jK
         gles8su22I6ACTCTLJ+Wm3d7bUisAbKC6f7OKStG0grhB7NhtjLplASCRsetjakKhLy1
         4qAnIuXb6CJT2MolXdnXXhrqsof67ORKwM6JU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-type
         :content-transfer-encoding;
        bh=yfA+vOPne+su0brUPPiSYnZHpZ9MEUpIqSlAEWJb46w=;
        b=Z1VBGuTtrrUvBDgvjWc56P5wL55CUgF5tonAKloNGbMvnvIQyYmdmUu2Gf7Ozzm5vp
         WbYpYbf9eYlOH8OkNf+L1V2MkOYstODfJqOTTWfuKGfHJzIuJjT1AySKm+F88LG9ocJo
         lgWCUg1J6wfMproRtq/Ru5A5tJIn2Fq1ydMI7zs6PDjktbArDxxqwtgfmHSd42HJYp2I
         9hFdXjAFmYde+XM8pFK/gJ0koYLPq/Tt1CaFs9G6mWH2D1wKJ9jDkm5PaiSxxfFqZPVT
         Hc5VagUaj+/Ua2oyJYesih/TXsr9BKbNHLPxNKavp4BonWqOZ1UKCp+B+sT/VlkHJ0JO
         qhXg==
X-Gm-Message-State: ALoCoQnlm8JzQHa4mRz3qRK7JIu4EAK/Vip5bDjdvzV0OrTB7YlIXXGQsT1V/rW2R9THtmvoqiP8
X-Received: by 10.50.61.241 with SMTP id t17mr140872igr.28.1379626899023; Thu,
 19 Sep 2013 14:41:39 -0700 (PDT)
MIME-Version: 1.0
Sender: adam@adamharvey.name
Received: by 10.42.206.208 with HTTP; Thu, 19 Sep 2013 14:41:18 -0700 (PDT)
In-Reply-To: <CAH8MpnkX1p66AxeDXYaDiNaPBL635gKLXmS6qN=veB4H4CTicw@mail.gmail.com>
References: <CAH8MpnnTGD0xAwG1j9sh10EC6XzdscVRLbJzEMG6qWSBK5c17w@mail.gmail.com>
 <523A466C.4070903@gmail.com> <CAHMUw2HxcWgOBxiK=r4y6FgWF_Gkhgc6BgHxF_bgLLJG9RVxmQ@mail.gmail.com>
 <CAEZPtU7YjNksHLEyH9VzM-iDdpQmBeJkF-BHPkAajZjiQS5XBA@mail.gmail.com>
 <CAHMUw2Gv=JdswmWVHCvp2S3WECVPEx4aWOQzF2yLMHaqJ5HK-g@mail.gmail.com>
 <000001ceb53c$492a3090$db7e91b0$@org> <CAH8MpnkX1p66AxeDXYaDiNaPBL635gKLXmS6qN=veB4H4CTicw@mail.gmail.com>
Date: Thu, 19 Sep 2013 14:41:18 -0700
X-Google-Sender-Auth: oawmRsy0rpxZIU3RibuNvvP9z18
Message-ID: <CADajX4BudWBoKwZ8Xo5_QENQifdH2V3MDXe3vGszWkPAbwgjZw@mail.gmail.com>
To: Daniel Lowrey <rdlowrey@gmail.com>
Cc: "Bryan C. Geraghty" <bryan@ravensight.org>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit
From: aharvey@php.net (Adam Harvey)

On 19 September 2013 10:52, Daniel Lowrey <rdlowrey@gmail.com> wrote:
>> *I consider this a bug* I understand that it's easier to code not verify=
ing the
>> peer, and the hostname may not be available when you are stacking ssl ov=
er a stream.
>> But file_get_contents("https://...") is *precisely* the case that should=
 work right
>> out of the box.
>
> ^^ This.
>
> Before I can fully/cleanly implement these changes we need to decide
> if PHP wants to move to a secure-by-default model for streams
> utilizing the built in encryption wrappers. Thoughts?

I think we should do this in 5.6. cURL has behaved this way for
literally years at this point (verify by default, provide a switch to
disable verification) and users seem to do just fine there. The much
improved security story outweighs the (admittedly present) BC issues
for mine.

As for the CA bundle side of things, I wonder if this is one of those
rare times where an ini setting might make sense, as opposed to actual
bundling =E2=80=94 that would allow distros to point to their packaged bund=
les
without needing to patch php-src, and we could provide from-source
installation instructions easily enough to point to common distro
locations and the cURL download for users on more exotic OSes (like
Windows).

Adam