Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69240
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 95042 invoked from network); 20 Sep 2013 00:42:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Sep 2013 00:42:02 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.46 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.215.46 mail-la0-f46.google.com  
Received: from [209.85.215.46] ([209.85.215.46:61603] helo=mail-la0-f46.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A5/51-20998-9D99B325 for <internals@lists.php.net>; Thu, 19 Sep 2013 20:42:02 -0400
Received: by mail-la0-f46.google.com with SMTP id eh20so7468045lab.19
        for <internals@lists.php.net>; Thu, 19 Sep 2013 17:41:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=iEdSwavwo/ugou47ZwsAZC3Rc42fHOlWD8/HikpLdmg=;
        b=nsI1Je7A2N9w0UjKipJtkLfhPpA+8cJV5RMA/Yir3jETPZIXyrGg5fSfZaOvz0JIB8
         JZr8f5z8cfuqpBIyP6/kV5wZMA8MeemV9uWU2R2vrd04bIBCprtosJ/NO15lmTB6W9f4
         fSx+k/BGl0o5HxyOgo++9kvYcPiWPiAnpZrE3qhZs6cZCWEs2Uk8OIv67ExDFf3wc5UL
         ibfn3cTvnSsYpdxCHqSCIWTp4yhxJbqsSjG+Nm9yaKIaU86aA5wWSqpK4LD7Q462P+KG
         pJOG00W4Je/cFLJGlfqeZC7GBT7+YXR5GFGU1utb2xMyViG33hlWC/0nyZiKe8vInUik
         qhAA==
MIME-Version: 1.0
X-Received: by 10.112.14.3 with SMTP id l3mr3929064lbc.27.1379637718808; Thu,
 19 Sep 2013 17:41:58 -0700 (PDT)
Received: by 10.112.148.138 with HTTP; Thu, 19 Sep 2013 17:41:58 -0700 (PDT)
In-Reply-To: <CADajX4Ax-gf-iDMqgx3BNcGM+Wi=hR78iuJVTB=sQXaLgsEVWA@mail.gmail.com>
References: <CAH8MpnnTGD0xAwG1j9sh10EC6XzdscVRLbJzEMG6qWSBK5c17w@mail.gmail.com>
	<523A466C.4070903@gmail.com>
	<CAHMUw2HxcWgOBxiK=r4y6FgWF_Gkhgc6BgHxF_bgLLJG9RVxmQ@mail.gmail.com>
	<CAEZPtU7YjNksHLEyH9VzM-iDdpQmBeJkF-BHPkAajZjiQS5XBA@mail.gmail.com>
	<CAHMUw2Gv=JdswmWVHCvp2S3WECVPEx4aWOQzF2yLMHaqJ5HK-g@mail.gmail.com>
	<000001ceb53c$492a3090$db7e91b0$@org>
	<CAH8MpnkX1p66AxeDXYaDiNaPBL635gKLXmS6qN=veB4H4CTicw@mail.gmail.com>
	<CADajX4BudWBoKwZ8Xo5_QENQifdH2V3MDXe3vGszWkPAbwgjZw@mail.gmail.com>
	<CAEZPtU6moG46an2nAGUjqyvjbQo+pwRSGAv4PPy8NKAtbKU30g@mail.gmail.com>
	<CADajX4Ax-gf-iDMqgx3BNcGM+Wi=hR78iuJVTB=sQXaLgsEVWA@mail.gmail.com>
Date: Thu, 19 Sep 2013 17:41:58 -0700
Message-ID: <CAEZPtU75jDEKEc-BZ7ChNR-YSQx2G+ehNjVQYvJnY9riT42_zQ@mail.gmail.com>
To: Adam Harvey <aharvey@php.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit
From: pierre.php@gmail.com (Pierre Joye)

On Thu, Sep 19, 2013 at 5:38 PM, Adam Harvey <aharvey@php.net> wrote:
> On 19 September 2013 17:31, Pierre Joye <pierre.php@gmail.com> wrote:
>> On Thu, Sep 19, 2013 at 2:41 PM, Adam Harvey <aharvey@php.net> wrote:
>>> As for the CA bundle side of things, I wonder if this is one of those
>>> rare times where an ini setting might make sense, as opposed to actual
>>> bundling =97 that would allow distros to point to their packaged bundle=
s
>>> without needing to patch php-src, and we could provide from-source
>>> installation instructions easily enough to point to common distro
>>> locations and the cURL download for users on more exotic OSes (like
>>> Windows).
>>
>> Windows supports that very well, with Curl for example. It can also
>> uses the OS certificates database.
>>
>> For the record here, curl has this setting already:
>>
>> http://us2.php.net/manual/en/curl.configuration.php#ini.curl.cainfo
>>
>> which is around for quite some time already.
>>
>> It could be possible to share it with openssl, but back then I did not
>> check it out as only curl was concerned.
>
> Is that something cURL provides, or that we do? A (very) cursory
> Google suggests that OpenSSL doesn't have support for the Windows
> certificate store natively, so we'd presumably have to patch that up
> (with a sensible default php.ini setting, if we went that way =97
> "ssl.ca_bundle =3D win32", or something similar).

It does when you use curl's win32 SSL support. That makes my previous
point wrong as we do not compile it with this option but openssl (for
cross platform compatibility reasons). But as the curl's ca file works
just fine, everything is good.

Would it make sense to share that option for openssl itself?

>> One thing I do not remember off hand is if we actually enable cert
>> validation per default with php's curl. It should be as we discussed
>> that already many times.
>
> We do. I checked before the first e-mail. :)

Thanks :)


--=20
Pierre

@pierrejoye | http://www.libgd.org