Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69244
Return-Path: <tjerk.meesters@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 30594 invoked from network); 20 Sep 2013 07:24:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Sep 2013 07:24:23 -0000
Authentication-Results: pb1.pair.com header.from=tjerk.meesters@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tjerk.meesters@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.182 as permitted sender)
X-PHP-List-Original-Sender: tjerk.meesters@gmail.com
X-Host-Fingerprint: 209.85.216.182 mail-qc0-f182.google.com  
Received: from [209.85.216.182] ([209.85.216.182:56047] helo=mail-qc0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0F/57-20998-528FB325 for <internals@lists.php.net>; Fri, 20 Sep 2013 03:24:22 -0400
Received: by mail-qc0-f182.google.com with SMTP id n4so33003qcx.13
        for <internals@lists.php.net>; Fri, 20 Sep 2013 00:24:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc:content-type;
        bh=Wp5ubskumKxZy4m9eI6n0PwLk+5p0A5NcKgi5IMVBX8=;
        b=Cu/mZx2cSzhVQzrOMDIWRH0xSlWzeR+JE3aTzisyq+NsGbxqakF3Z5sLe6HWBMz9So
         kawJea+KPuJHVAPnD5Z0oOsFsC4arG2H2/JYQdWYsoon9TmSNg2Savn2ZtJkVALxA/LY
         zWGREQFrG5ff3K+w65w2OTCGZXst/FGec2S+SXMxakXSl3qc0n+hyHuzceWfCr2fUI6I
         /5Nc++DdI08vq72Dk8DnpWWUuSrtRB0ffYMA92hw4VpmbxWobFOThYNYg1/8ZLF3/lBc
         rGtap7GIt20xc4jSv95rshnc04tkJC3CiesGE4sF/CemOZ9nS30vgwL8Ks0wLisFSYv3
         oUQg==
MIME-Version: 1.0
X-Received: by 10.224.98.200 with SMTP id r8mr3731872qan.26.1379661859213;
 Fri, 20 Sep 2013 00:24:19 -0700 (PDT)
Sender: tjerk.meesters@gmail.com
Received: by 10.49.61.227 with HTTP; Fri, 20 Sep 2013 00:24:19 -0700 (PDT)
In-Reply-To: <000001ceb53c$492a3090$db7e91b0$@org>
References: <CAH8MpnnTGD0xAwG1j9sh10EC6XzdscVRLbJzEMG6qWSBK5c17w@mail.gmail.com>
	<523A466C.4070903@gmail.com>
	<CAHMUw2HxcWgOBxiK=r4y6FgWF_Gkhgc6BgHxF_bgLLJG9RVxmQ@mail.gmail.com>
	<CAEZPtU7YjNksHLEyH9VzM-iDdpQmBeJkF-BHPkAajZjiQS5XBA@mail.gmail.com>
	<CAHMUw2Gv=JdswmWVHCvp2S3WECVPEx4aWOQzF2yLMHaqJ5HK-g@mail.gmail.com>
	<000001ceb53c$492a3090$db7e91b0$@org>
Date: Fri, 20 Sep 2013 15:24:19 +0800
X-Google-Sender-Auth: yFjg2AWPL1S2GhTu6GL_-vdTFNw
Message-ID: <CAHMUw2ECV2KnwgtoKEwqB5b6Y4M_SM0NKCZK3eMVWoDp2Gemdw@mail.gmail.com>
To: "Bryan C. Geraghty" <bryan@ravensight.org>
Cc: Pierre Joye <pierre.php@gmail.com>, johannes@schlueters.dot.de, addw@phcomp.dot.co.uk, 
	Daniel Lowrey <rdlowrey@gmail.com>, PHP Internals <internals@lists.php.net>, 
	=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= <keisial@gmail.com>
Content-Type: multipart/alternative; boundary=089e01536b7c0757d204e6cb8fd5
Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit
From: datibbaw@php.net (Tjerk Anne Meesters)

--089e01536b7c0757d204e6cb8fd5
Content-Type: text/plain; charset=ISO-8859-1

Hi Bryan,

On Thu, Sep 19, 2013 at 9:29 PM, Bryan C. Geraghty <bryan@ravensight.org>wrote:

> -----Original Message-----
> From: tjerk.meesters@gmail.com [mailto:tjerk.meesters@gmail.com] On Behalf
> Of Tjerk Anne Meesters
> Sent: Thursday, September 19, 2013 4:01 AM
>
> > My point is that you need a reasonably up-to-date certs bundle to enable
> verification by default.
>
> Actually, you don't. There is no reason why certificate validation cannot
> be
> enabled by default without a CA bundle. Yes, verifications will fail by
> default but this is no different than the cases where someone has an
> oddball
> provider or self-signed certificates; they have to manually add the cert
> for
> verification to pass.
>

For the most part, API libraries I've seen handle this scenario by shipping
a certificate bundle with their code. The verification setting obviously
does not apply to them, because they're handling it themselves or they
don't use streams at all.

However, I can imagine the bulk of developers will want the
`file_get_contents('https://example.org')` to *just work* and flipping that
switch between versions will likely upset a horde of them.


>
> Additionally, given the current certificate climate, I wouldn't trust
> anything signed by the global CAs. If you're concerned about security, you
> should be validating the certificate fingerprint and not trusting CAs.
>

That feature is currently not very well supported in streams. However, I'm
working on a proposal to introduce [openssl_x509_digest()] which would make
this possible:

$context = stream_context_create([
    'ssl' => [
        'capture_peer_cert' => true,
]]);

$f = fopen($url, 'rt', false, $context);

$options = stream_context_get_options($context);

openssl_x509_digest($options['ssl']['peer_certificate'], $result);
echo "SHA1 fingerprint = ", bin2hex($result), "\n";

https://github.com/datibbaw/php-src/commit/b8f9a20286c6d88c11e81967df42d118bdba2f02




>
> Bryan
>
>


-- 
--
Tjerk

--089e01536b7c0757d204e6cb8fd5--