Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69241 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96618 invoked from network); 20 Sep 2013 00:48:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Sep 2013 00:48:50 -0000 Authentication-Results: pb1.pair.com smtp.mail=adam@adamharvey.name; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=adam@adamharvey.name; sender-id=pass Received-SPF: pass (pb1.pair.com: domain adamharvey.name designates 209.85.223.179 as permitted sender) X-PHP-List-Original-Sender: adam@adamharvey.name X-Host-Fingerprint: 209.85.223.179 mail-ie0-f179.google.com Received: from [209.85.223.179] ([209.85.223.179:47652] helo=mail-ie0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7E/A1-20998-17B9B325 for ; Thu, 19 Sep 2013 20:48:50 -0400 Received: by mail-ie0-f179.google.com with SMTP id e14so16699579iej.38 for ; Thu, 19 Sep 2013 17:48:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adamharvey.name; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=mZypesa2HIeTNz55RBExuhFKQzGCn3w0DLHvQiob92E=; b=maemUD4LXpVDnuc1+hcBI9t1i/m/t386KJmO9pE7/+vAGHg8qPleBEC9tmbGXL6rIL SaLNTyG0ddhncdeDknicrhcloEDO0hyoE6B22gfQYUWi2NL4HoRSkPu/ac3D0gz9VVWl hvtgntnMIjlWH8MJuybJekrJwURWwv8XO+Ujw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=mZypesa2HIeTNz55RBExuhFKQzGCn3w0DLHvQiob92E=; b=Pt7eb8Qubja4KEjTVLOIths61Kbr4ih/XzBQ7DN8r1QE28bUV4z2hcs1Qa7vRAJ5vN rtsv0XH49wNmy/zDVxbWdSXmNhjzRkJksOWROYHjibXa89z3vXxwWo29D+k3KmfRSUkC jSpKr2qyCJCewmddYHUDfaQc3pAL7XrWIdEeqSTzJwkBQ+irKJF/KNmAGQ8O0crn5YW9 KJgaa+AiJ3FPlu75VvDMpNfx8eRVaWrVr+PSP6peepA+wix/3Pcyi8rgwI6wDa8z/YY/ N2eTqE8x1wbhppN0w65O7MlrFweEsCJcC0yqOZSaOz8y/pCIMZwom0F8lP0OZ70eSMr5 /BZg== X-Gm-Message-State: ALoCoQkowVEAhEjPTD5XiRMyCYsBpzddK8621mXpQplSb9+6JhChxw19WrhXRc/kFx7FJqL+TePR X-Received: by 10.50.25.101 with SMTP id b5mr517439igg.31.1379638126564; Thu, 19 Sep 2013 17:48:46 -0700 (PDT) MIME-Version: 1.0 Sender: adam@adamharvey.name Received: by 10.42.206.208 with HTTP; Thu, 19 Sep 2013 17:48:26 -0700 (PDT) In-Reply-To: References: <523A466C.4070903@gmail.com> <000001ceb53c$492a3090$db7e91b0$@org> Date: Thu, 19 Sep 2013 17:48:26 -0700 X-Google-Sender-Auth: 08JQQ-PMnE5xMRTzL_PUpqq6OCY Message-ID: To: Pierre Joye Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit From: aharvey@php.net (Adam Harvey) On 19 September 2013 17:41, Pierre Joye wrote: > It does when you use curl's win32 SSL support. That makes my previous > point wrong as we do not compile it with this option but openssl (for > cross platform compatibility reasons). But as the curl's ca file works > just fine, everything is good. > > Would it make sense to share that option for openssl itself? I think so, particularly if we did make peer validation the default. Most Windows users would be happy to just use the system certificate store, I would think, so that would be one less thing to configure post-install. Adam