Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69583
Return-Path: <rdlowrey@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63107 invoked from network); 16 Oct 2013 13:38:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Oct 2013 13:38:10 -0000
Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.179 as permitted sender)
X-PHP-List-Original-Sender: rdlowrey@gmail.com
X-Host-Fingerprint: 209.85.223.179 mail-ie0-f179.google.com  
Received: from [209.85.223.179] ([209.85.223.179:40806] helo=mail-ie0-f179.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2A/C6-31591-2C69E525 for <internals@lists.php.net>; Wed, 16 Oct 2013 09:38:10 -0400
Received: by mail-ie0-f179.google.com with SMTP id aq17so1238665iec.24
        for <internals@lists.php.net>; Wed, 16 Oct 2013 06:38:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=bSwHGaCbBJrYdalR2k4PMQQbmkl3G9jwINNZSsTJKio=;
        b=N0H/GtJ01MvF28ozfD6Amp0hT1oLVtykJDuQJuvQiWEnmI6IO5pdLvlAY44Bfbmi9+
         7/7Xg94RQaYtNnnGvIQBhIGXKS3x8qtBHl3qkqgDNbZecJdbi/SiAJYFwYcFp0j6FVcT
         2nrfH4880Dw4psFpAkhWX98F0Z2movL48pnjA8uLCKM2DhyZZm3/vJMhQmtPv80nS5jy
         S/TKnb6NzCOvl/DrW5+Ay6ijg6JcUIBGCwQVePKfde8WeR8NMrwK8EFnd2+l3p9fqIBW
         cwjwW6RFMqRNarvE6JHMzWi0RwLHwj0UVFU2nyom4AtYHbuBzLBw3TC8H3I3VUTMcoaO
         YHvA==
MIME-Version: 1.0
X-Received: by 10.43.159.5 with SMTP id lw5mr1901665icc.22.1381930687810; Wed,
 16 Oct 2013 06:38:07 -0700 (PDT)
Received: by 10.50.158.194 with HTTP; Wed, 16 Oct 2013 06:38:07 -0700 (PDT)
Date: Wed, 16 Oct 2013 09:38:07 -0400
Message-ID: <CAH8MpnkHsQiiYnX9nHOrNNiAkCNu5PiQwEg6EGOzHFKFofzUiA@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c1feb6c063d004e8dbcf5f
Subject: [RFC] TLS Peer Verification
From: rdlowrey@gmail.com (Daniel Lowrey)

--001a11c1feb6c063d004e8dbcf5f
Content-Type: text/plain; charset=ISO-8859-1

To those interested, a patch enabling TLS peer verification by default for
client streams is now available here:

https://wiki.php.net/rfc/tls-peer-verification

Please note that this RFC is limited to client peer verification. I *do*
have other outstanding ext/openssl PRs (atomic, tested) that do not merit
RFC discussion (but are no less important). Each of these PRs addresses
existing TLS security issues without breaking BC:

Honor Cipher Order
https://github.com/php/php-src/pull/493

Client-Initiated Renegotiation DoS
https://github.com/php/php-src/pull/486

TLSv1.1 and TLSv1.2 Support
https://github.com/php/php-src/pull/483

--001a11c1feb6c063d004e8dbcf5f--