Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69256 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92666 invoked from network); 21 Sep 2013 20:27:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2013 20:27:56 -0000 Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.169 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.214.169 mail-ob0-f169.google.com Received: from [209.85.214.169] ([209.85.214.169:49864] helo=mail-ob0-f169.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A7/60-24835-B410E325 for ; Sat, 21 Sep 2013 16:27:55 -0400 Received: by mail-ob0-f169.google.com with SMTP id wp4so2219973obc.28 for ; Sat, 21 Sep 2013 13:27:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Zt0TS8g71dhJ2gqUl/cBbs2nKZM6ewk7GXSGVWps2q4=; b=QN9jAPIGCu3Rw2Q+vQSfUXRHXmp6mOX0fEq2dbQmbbh0tAT554bnkI43YZKeyxOHu5 fdwKmFteUOMCC8y/+3shTEQxLUIBRmgrTUFTT/B/5UiZF65lRITTQfAarh0kyQ1taBrf 5+rknMipb+cfJzGxwB4OTu9VKLTNmtb6cM1muZpU2b/c7zNzjsCba/Esrt+S47R/CNr1 RMw5sgPhqh3HJBbBnkJG2cy+mflbzQSByZ+OhAFghy9G3Ru7GCekTN3eto+aj/0HqkjN icZmoLXbuyGqzPWlu2CU/Hi6M2J/pQUJ5st8Df/p/7z8q19z7PF2vnjKbcz97t3KVXH+ lV3Q== MIME-Version: 1.0 X-Received: by 10.60.17.136 with SMTP id o8mr12017453oed.7.1379795273244; Sat, 21 Sep 2013 13:27:53 -0700 (PDT) Received: by 10.182.98.8 with HTTP; Sat, 21 Sep 2013 13:27:53 -0700 (PDT) In-Reply-To: References: <523A466C.4070903@gmail.com> <000001ceb53c$492a3090$db7e91b0$@org> Date: Sat, 21 Sep 2013 22:27:53 +0200 Message-ID: To: Daniel Lowrey Cc: Tjerk Anne Meesters , "Bryan C. Geraghty" , Pierre Joye , johannes@schlueters.dot.de, addw@phcomp.dot.co.uk, PHP Internals , =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= Content-Type: multipart/alternative; boundary=089e0122a79a1fe75f04e6ea9fd8 Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit From: nikita.ppv@gmail.com (Nikita Popov) --089e0122a79a1fe75f04e6ea9fd8 Content-Type: text/plain; charset=ISO-8859-1 On Sat, Sep 21, 2013 at 10:18 PM, Daniel Lowrey wrote: > Hello security-conscious internals people! > > I've got (what believe to be) a pretty good working solution for the > problem of insecure-by-default stream encryption. I need to do some more > thorough testing before pushing it upstream to a public fork but here's the > quick and dirty: > Sounds really great! One minor nitpick: - Global CA path defaults may be specified via new "openssl.cafile" and > "openssl.capath" php.ini directives. This has the advantage mentioned > upthread of allowing distros to customize the .ini file to point to an > existing CA file. > > - Global CA path defaults may be specified at runtime via two new > functions: > + bool openssl_set_default_cafile(string $cafile) > + bool openssl_set_default_capath(string $capath) > Why do we need these functions? Can't you just specify it with ini_set('openssl.cafile', $file)? I don't immediately see why we need additional functions to set those ini options. Nikita --089e0122a79a1fe75f04e6ea9fd8--