Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:70693
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 58524 invoked from network); 17 Dec 2013 01:42:21 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Dec 2013 01:42:21 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 173.203.6.155 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 173.203.6.155 smtp155.ord.emailsrvr.com Linux 2.6
Received: from [173.203.6.155] ([173.203.6.155:38188] helo=smtp155.ord.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 66/F6-32483-BFBAFA25 for <internals@lists.php.net>; Mon, 16 Dec 2013 20:42:20 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp20.relay.ord1a.emailsrvr.com (SMTP Server) with ESMTP id 4DFDE1C02D7;
	Mon, 16 Dec 2013 20:42:16 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp20.relay.ord1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 0A1FC1C0301;
	Mon, 16 Dec 2013 20:42:15 -0500 (EST)
Message-ID: <52AFABF7.60105@sugarcrm.com>
Date: Mon, 16 Dec 2013 17:42:15 -0800
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Daniel Lowrey <rdlowrey@gmail.com>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAH8Mpn=W6cuZtn5210+u7xZ+ejM22mk0Sq3tihbQ0qRtr-H=LA@mail.gmail.com>
In-Reply-To: <CAH8Mpn=W6cuZtn5210+u7xZ+ejM22mk0Sq3tihbQ0qRtr-H=LA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [VOTE] TLS Peer Verification
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> Please throw your votes at the TLS Peer Verification proposal:
> 
> https://wiki.php.net/rfc/tls-peer-verification
> 
> Voting closes Dec. 24 ... Happy Holidays!

I'm not sure what to vote for here, because I like the ideas in the
patch about having a setting for CAfile, which in many distros would by
default enable peer verification and thus make you more secure, but I
don't like the fact that when you compile PHP, you get essentially a
configuration that can not use https at all, since you have no CA file
configured.
I'd like it more if there was an option where if you set cafile or
capath, you get automatic peer verification, but if you don't, you do
not have it. But it may be against the spirit of the RFC?
I know you propose a warning in this case, but judging from the story of
the datetime timezone warning, people would still ignore it. Also
warning is not much help if for some reason you don't know where to get
a cert file. And there's no way to disable peer verification on ini level.
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227