Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70591 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 45973 invoked from network); 11 Dec 2013 14:23:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Dec 2013 14:23:57 -0000 Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.182 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.213.182 mail-ig0-f182.google.com Received: from [209.85.213.182] ([209.85.213.182:56222] helo=mail-ig0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D2/D2-22966-B7578A25 for ; Wed, 11 Dec 2013 09:23:56 -0500 Received: by mail-ig0-f182.google.com with SMTP id c10so823658igq.3 for ; Wed, 11 Dec 2013 06:23:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=WU5Ev6na71NVIOqSLwQWDr+jV5kp/CnSMTkRon+s5Ek=; b=pSUfdfC8RMX2kqlaoWeKsbhpcnqJN+0qETJ123paB8N0XxhkcpykSUD8zcPIZIbqsF i9wt10BfouXIlJF6Qo5B/JDcWKnzP4n9tIUj6I/om0cWQIeCqbrwcYKvdOkDeN/h3c8O d6pazFFFy+f9KSomwg6V3Y65//6VsUWU/4nCPOJj0cXwNcCWTHX2mQjWQKXtesdV2acy 3UE4WLpO43RXC72V4+lvDdyipnIHppxuoZSO8T4s+QzwUJN9IyANiu6SHBMDQi9v8jbt wIariknjHYVxCBRIM+8uMssoxQH22easzs48hyH2rw6oKf3bgH+fq3YWRAx8ME81bZzD AM5A== MIME-Version: 1.0 X-Received: by 10.50.41.106 with SMTP id e10mr2869012igl.34.1386771833068; Wed, 11 Dec 2013 06:23:53 -0800 (PST) Received: by 10.50.208.105 with HTTP; Wed, 11 Dec 2013 06:23:52 -0800 (PST) Date: Wed, 11 Dec 2013 09:23:52 -0500 Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0122f0967ea23f04ed42fa72 Subject: [RFC] TLS Peer Verification (update) From: rdlowrey@gmail.com (Daniel Lowrey) --089e0122f0967ea23f04ed42fa72 Content-Type: text/plain; charset=ISO-8859-1 Hello, internals! I have let it idle for a couple of months but it's time to address TLS peer verification: https://wiki.php.net/rfc/tls-peer-verification We essentially have three options in this area: 1. Continue with peer verification disabled by default 2. Implement the proposed patch but do not bundle a default CA file with the distribution 3. Implement the proposed patch and bundle a CA file In my humble opinion the first option borders on negligence and is not really an option at all. The second choice at the very least forces users to explicitly disable peer verification if they wish to allow insecure transfers (like ext/curl). The third option allows most existing code to function as-is but may carry additional licensing or distribution difficulties (I don't really know). I would personally vote for option 2 (if I had a vote). In any case, please share any concerns, questions or comments as I'd prefer to initiate a vote in the next couple of days. If the patch is implemented some significant manual updates are in order and I will work to submit those in the event of the RFC's acceptance. For those who'd like more information on the problem addressed by this RFC a good external resource on the subject can be found below: http://phpsecurity.readthedocs.org/en/latest/Transport-Layer-Security-(HTTPS-SSL-and-TLS).html#ssl-tls-from-php-server-to-server --089e0122f0967ea23f04ed42fa72--