Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69239
Return-Path: <adam@adamharvey.name>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93575 invoked from network); 20 Sep 2013 00:39:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Sep 2013 00:39:10 -0000
Authentication-Results: pb1.pair.com smtp.mail=adam@adamharvey.name; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=adam@adamharvey.name; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain adamharvey.name designates 209.85.223.182 as permitted sender)
X-PHP-List-Original-Sender: adam@adamharvey.name
X-Host-Fingerprint: 209.85.223.182 mail-ie0-f182.google.com  
Received: from [209.85.223.182] ([209.85.223.182:65511] helo=mail-ie0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DE/F0-20998-D299B325 for <internals@lists.php.net>; Thu, 19 Sep 2013 20:39:10 -0400
Received: by mail-ie0-f182.google.com with SMTP id aq17so16711558iec.41
        for <internals@lists.php.net>; Thu, 19 Sep 2013 17:39:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=adamharvey.name; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type:content-transfer-encoding;
        bh=1nDC8X/E49MHOGrce7aEQWJDi/OwZKXkahoS3pDWQ84=;
        b=KwgBjaXSkR6srkm+qDaBUF5blOgYDC8qQxCiPKDGhY6HQeU3QvuvfEGAluny8EfZof
         /5R5aD2/3DNi6wCwMt77qFTw8iRcjRq7l8oFeZkri31aiNIXys8MRBVZQbNGbXHbR9+0
         2u3UajxX7aA/z91ovNGIr5l9MXVU7IN4UOtzw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-type
         :content-transfer-encoding;
        bh=1nDC8X/E49MHOGrce7aEQWJDi/OwZKXkahoS3pDWQ84=;
        b=nEQS4DsSJdLzYDCMMT0RRN3g5vefencYKDLNYMW0nds7tm+PnKwxDqcfe8znCp354L
         TOnnTmX+Pyq5IDvQqFL50p9pf9aOrJ9iX1RCuyvcuZRBc6Bmg7EpGOcMptsZvg3XY7c0
         OEGmXYf6qMGffhDS8UklAUQrdh4t5XzXkxG77JXvYKyszvXIqybVqBGs7VALvyyzmpNC
         KC8QirEtdJyhE9IFIipk1CzbEXheRJ4KvpUDqw8C4TYXj6A3MyBMgqOxifw7V1xXxGZj
         XQaaN2LTDifugXC7GQL8JH3DPZyX7rCkIgYD5XQHwXLpz3FulR/nXve3bGzT5alImqHW
         jD+g==
X-Gm-Message-State: ALoCoQmBti0t5zIx7ViDZNgnqrLZkwbYmSyIDViLwkTeJzy0MTDGOGifOqdVdUuEO46eCUqclY9J
X-Received: by 10.50.238.196 with SMTP id vm4mr473410igc.43.1379637546982;
 Thu, 19 Sep 2013 17:39:06 -0700 (PDT)
MIME-Version: 1.0
Sender: adam@adamharvey.name
Received: by 10.42.206.208 with HTTP; Thu, 19 Sep 2013 17:38:46 -0700 (PDT)
In-Reply-To: <CAEZPtU6moG46an2nAGUjqyvjbQo+pwRSGAv4PPy8NKAtbKU30g@mail.gmail.com>
References: <CAH8MpnnTGD0xAwG1j9sh10EC6XzdscVRLbJzEMG6qWSBK5c17w@mail.gmail.com>
 <523A466C.4070903@gmail.com> <CAHMUw2HxcWgOBxiK=r4y6FgWF_Gkhgc6BgHxF_bgLLJG9RVxmQ@mail.gmail.com>
 <CAEZPtU7YjNksHLEyH9VzM-iDdpQmBeJkF-BHPkAajZjiQS5XBA@mail.gmail.com>
 <CAHMUw2Gv=JdswmWVHCvp2S3WECVPEx4aWOQzF2yLMHaqJ5HK-g@mail.gmail.com>
 <000001ceb53c$492a3090$db7e91b0$@org> <CAH8MpnkX1p66AxeDXYaDiNaPBL635gKLXmS6qN=veB4H4CTicw@mail.gmail.com>
 <CADajX4BudWBoKwZ8Xo5_QENQifdH2V3MDXe3vGszWkPAbwgjZw@mail.gmail.com> <CAEZPtU6moG46an2nAGUjqyvjbQo+pwRSGAv4PPy8NKAtbKU30g@mail.gmail.com>
Date: Thu, 19 Sep 2013 17:38:46 -0700
X-Google-Sender-Auth: 61xxOIdik0-epWUY7R3J2_sUTtU
Message-ID: <CADajX4Ax-gf-iDMqgx3BNcGM+Wi=hR78iuJVTB=sQXaLgsEVWA@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit
From: aharvey@php.net (Adam Harvey)

On 19 September 2013 17:31, Pierre Joye <pierre.php@gmail.com> wrote:
> On Thu, Sep 19, 2013 at 2:41 PM, Adam Harvey <aharvey@php.net> wrote:
>> As for the CA bundle side of things, I wonder if this is one of those
>> rare times where an ini setting might make sense, as opposed to actual
>> bundling =E2=80=94 that would allow distros to point to their packaged b=
undles
>> without needing to patch php-src, and we could provide from-source
>> installation instructions easily enough to point to common distro
>> locations and the cURL download for users on more exotic OSes (like
>> Windows).
>
> Windows supports that very well, with Curl for example. It can also
> uses the OS certificates database.
>
> For the record here, curl has this setting already:
>
> http://us2.php.net/manual/en/curl.configuration.php#ini.curl.cainfo
>
> which is around for quite some time already.
>
> It could be possible to share it with openssl, but back then I did not
> check it out as only curl was concerned.

Is that something cURL provides, or that we do? A (very) cursory
Google suggests that OpenSSL doesn't have support for the Windows
certificate store natively, so we'd presumably have to patch that up
(with a sensible default php.ini setting, if we went that way =E2=80=94
"ssl.ca_bundle =3D win32", or something similar).

> One thing I do not remember off hand is if we actually enable cert
> validation per default with php's curl. It should be as we discussed
> that already many times.

We do. I checked before the first e-mail. :)

Adam