Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69375 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 422 invoked from network); 27 Sep 2013 03:59:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Sep 2013 03:59:58 -0000 Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.83.45 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 74.125.83.45 mail-ee0-f45.google.com Received: from [74.125.83.45] ([74.125.83.45:41514] helo=mail-ee0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3F/21-28456-DB205425 for ; Thu, 26 Sep 2013 23:59:57 -0400 Received: by mail-ee0-f45.google.com with SMTP id c50so937434eek.32 for ; Thu, 26 Sep 2013 20:59:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kWZLr9z4A++tNU8nB6ekS0vNUQeovpTYtZVWQFJ4s0A=; b=JInJCJiu6W0bDp0oWLqcXe4V0qsQgbL0mtu9wl0Xr6XkpOEU4b9NzCnXmIpQrJwxf7 cgjqqdwp0BmCoeYXTOuI7qymsFQ/SdJdteAYe/nEsAzU9TomZkalGzB1qW8VA7BQUrxl k6VZkw2l+zwprPD1kOuoYKydpAmDcVoGCg2m7uSJf8vEooiwb4LHHi11rHg1o0LHu/TV dJ96v74bf2WeQwkrHL/7JxiH1yPsQPgnbbnyE+eIvyOhZr1wRLuTZkaYcpFgbRxo+8Rx khZZASAcDRmLDTbyOhmL7uZskwpuF+g0Er///KI+6bAzGDIdrjYHPbkkNk6GmOrxEmFN iCKA== MIME-Version: 1.0 X-Received: by 10.15.99.72 with SMTP id bk48mr7056097eeb.22.1380254394651; Thu, 26 Sep 2013 20:59:54 -0700 (PDT) Received: by 10.223.199.129 with HTTP; Thu, 26 Sep 2013 20:59:54 -0700 (PDT) In-Reply-To: References: <523A466C.4070903@gmail.com> <000001ceb53c$492a3090$db7e91b0$@org> Date: Thu, 26 Sep 2013 23:59:54 -0400 Message-ID: To: "internals@lists.php.net" Cc: "Bryan C. Geraghty" , Pierre Joye , =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= , Adam Harvey , Ryan McCue , Nikita Popov , Tjerk Meesters Content-Type: multipart/alternative; boundary=089e01681616e4b89e04e755843f Subject: Re: [PHP-DEV] Re: Re: PHP Crypt functions - security audit From: rdlowrey@gmail.com (Daniel Lowrey) --089e01681616e4b89e04e755843f Content-Type: text/plain; charset=ISO-8859-1 --- SSL/TLS security progress update --- All previously discussed aspects of secure-by-default stream encryption are now implemented and tested. There are some other significant improvements including but not limited to full TLSv1.1+TLSv1.2 support and simplified peer fingerprint verification. As planned all changes are implemented with the minimum possible BC impact and require zero user-knowledge for secure implementations in userland. A rather exhaustive RFC is in the works and I hope to float it before too much longer. Consider yourselves updated. On Sat, Sep 21, 2013 at 4:18 PM, Daniel Lowrey wrote: > Hello security-conscious internals people! > > I've got (what believe to be) a pretty good working solution for the > problem of insecure-by-default stream encryption. I need to do some more > thorough testing before pushing it upstream to a public fork but here's the > quick and dirty: > > --- Summary --- > > - All encrypted streams have peer verification enabled by default. > > - Global CA path defaults may be specified via new "openssl.cafile" and > "openssl.capath" php.ini directives. This has the advantage mentioned > upthread of allowing distros to customize the .ini file to point to an > existing CA file. > > - Global CA path defaults may be specified at runtime via two new > functions: > + bool openssl_set_default_cafile(string $cafile) > + bool openssl_set_default_capath(string $capath) > > - Per-stream CA paths may still be specified at call time by passing the > existing "cafile" or "capath" ssl options in the stream context (the ini > directives are a fallback) > > - If none of the above methods have been used to specify the necessary CA > info you get a painfully explicit E_WARNING explaining that peer > verification is necessary to prevent Man-in-the-Middle attacks and that you > need to specify a CA or disable peer verification (gasp). > > - The peer name to be verified is automagically detected from the URI > (eliminating the need for *any* configuration by the user for > secure-by-default peer verification) > > - A new ssl context option, "peer_name" is added to allow manual override > of the automatically detected name (can be useful if you're connecting via > an IP address instead of a name). > > - Peer certs using the subjectAltName (SAN) extension are now honored when > verifying peer names. Currently we're violating the relevant spec and not > doing this at all. With this change a common name (CN) match is only > attempted if no SAN matches were found first. This is a BC improvement that > I'll PR for inclusion in 5.4/5.5 soon regardless of what happens with peer > verification changes. > > --- BC ramifications --- > > The new "peer_name" context option (coupled with automatic name detection) > totally invalidates the need for "CN_match" as well as "SNI_server_name" > ... IMO these values are implementation details that are only necessary > when fixing the problem of not verifying peers by default. My changes solve > this problem and as a result I think the use of these context options > should be deprecated and result in E_NOTICE for 5.6 with removal scheduled > for 5.7. In the meantime these values, if passed in the context, will > replace the "peer_name" value. Also, while I'm on the subject of the > existing context options: I don't really see the point in keeping the > "SNI_enabled" context option going forward either. If the underlying > openssl libs support SNI then we should just use it automatically. Is there > some benefit to disabling it when it's available that I'm unaware of? IMO > "SNI_enabled" should receive the same deprecation treatment as "CN_match" > and "SNI_server_name" ... > > As for existing code ... with the addition of a single line in php.ini > almost all preexisting code will "just work." > > // way more secure, zero user knowledge needed, just works > file_get_contents('https://www.github.com'); > > If you have problems you can always pass a context with "verify_peer" => > FALSE. The difference is that now instead of being horribly insecure by > default PHP would say, "okay, I'll let you do this if you really want to > but understand that it's not safe." > > --- Other considerations --- > > It may be overkill to have *2* ini directives and setter functions (one > for cafile and one for capath). I'm on the fence with this and would be > fine with killing the capath directive/setter in the interest of keeping > things simple. Finally, on the subject bundling a CA file with the > distribution ... I don't care if we do or we don't. It's not that difficult > to have a manual page dedicated to explaining why you need a CA file to > verify peers in your encrypted transfers and offer instructions on how to > procure one. Even if we don't bundle a cafile with the distro the hit to BC > is extremely minimal and easy to remedy. Security is always a good reason > to break BC. > > Alas, this turned into the neverending email, so thanks if you made it > this far. Please share any thoughts, comments or questions. Or if you just > want to tell me I'm an idiot that's fine too. I'll get the code on github > in the next couple of days, but I want to incorporate any suggestions > people may have first. > > --089e01681616e4b89e04e755843f--