Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69257 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 94179 invoked from network); 21 Sep 2013 20:32:21 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2013 20:32:21 -0000 Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.83.49 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 74.125.83.49 mail-ee0-f49.google.com Received: from [74.125.83.49] ([74.125.83.49:54037] helo=mail-ee0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 25/10-27347-4520E325 for ; Sat, 21 Sep 2013 16:32:21 -0400 Received: by mail-ee0-f49.google.com with SMTP id d41so911422eek.8 for ; Sat, 21 Sep 2013 13:32:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JKOzyIbcsuFVtr/BgmYPa7gzRadrTKYmymypX5+tGHs=; b=VVvs5yC0XNRsIhoI6SxCa35bnXvqDFHaDEVZSL+w0LugykDDLWNUkqTh3NiWhhLvkW m5lG72jiRzlrCLN5QA01ZinsC9ryFuOQ+CaLUkqE2UEFbn4bHtzqP0Vw0KSEFQkViu8V KTPGLbz/Rnz9BDp7RQ5Xx6AiqTatXxvLhZ+2pQPeZiECdHHfAGrd8DKPEW8XptmTT0q1 KWr5J+wvfSj0lCoRIGZcD7Utu5fltUFu+9hcRfxABzyiwT5tdycrtZk6THA91MF705cU WnwctTTjCPJ15VGm1VgfckoLD2KS8mkjYH2AGE42DRyRgRXrHXumYA/qrX/EaeQLqxLO kHJA== MIME-Version: 1.0 X-Received: by 10.15.48.67 with SMTP id g43mr22073975eew.17.1379795537922; Sat, 21 Sep 2013 13:32:17 -0700 (PDT) Received: by 10.223.199.129 with HTTP; Sat, 21 Sep 2013 13:32:17 -0700 (PDT) In-Reply-To: References: <523A466C.4070903@gmail.com> <000001ceb53c$492a3090$db7e91b0$@org> Date: Sat, 21 Sep 2013 16:32:17 -0400 Message-ID: To: Nikita Popov Cc: Tjerk Anne Meesters , "Bryan C. Geraghty" , Pierre Joye , "johannes@schlueters.dot.de" , "addw@phcomp.dot.co.uk" , PHP Internals , =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= Content-Type: multipart/alternative; boundary=001a11c32c08e6b7f904e6eaaeb6 Subject: Re: Re: PHP Crypt functions - security audit From: rdlowrey@gmail.com (Daniel Lowrey) --001a11c32c08e6b7f904e6eaaeb6 Content-Type: text/plain; charset=ISO-8859-1 Honestly that didn't even occur to me. I'd *much* rather kill the additional functions like you suggest. As long as I am not forced to use a PHP.ini to run I'm happy. ini_set() works fine for this and unless someone has a compelling reason not to I'll nix the functions. On Saturday, September 21, 2013, Nikita Popov wrote: > > On Sat, Sep 21, 2013 at 10:18 PM, Daniel Lowrey > > wrote: > >> Hello security-conscious internals people! >> >> I've got (what believe to be) a pretty good working solution for the >> problem of insecure-by-default stream encryption. I need to do some more >> thorough testing before pushing it upstream to a public fork but here's >> the >> quick and dirty: >> > > Sounds really great! One minor nitpick: > > - Global CA path defaults may be specified via new "openssl.cafile" and >> "openssl.capath" php.ini directives. This has the advantage mentioned >> upthread of allowing distros to customize the .ini file to point to an >> existing CA file. >> >> - Global CA path defaults may be specified at runtime via two new >> functions: >> + bool openssl_set_default_cafile(string $cafile) >> + bool openssl_set_default_capath(string $capath) >> > > Why do we need these functions? Can't you just specify it with > ini_set('openssl.cafile', $file)? I don't immediately see why we need > additional functions to set those ini options. > > Nikita > > --001a11c32c08e6b7f904e6eaaeb6--