Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:70695
Return-Path: <rdlowrey@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 62111 invoked from network); 17 Dec 2013 02:03:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Dec 2013 02:03:44 -0000
Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.170 as permitted sender)
X-PHP-List-Original-Sender: rdlowrey@gmail.com
X-Host-Fingerprint: 209.85.223.170 mail-ie0-f170.google.com  
Received: from [209.85.223.170] ([209.85.223.170:48824] helo=mail-ie0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 43/B7-32483-FF0BFA25 for <internals@lists.php.net>; Mon, 16 Dec 2013 21:03:43 -0500
Received: by mail-ie0-f170.google.com with SMTP id qd12so7678769ieb.1
        for <internals@lists.php.net>; Mon, 16 Dec 2013 18:03:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=LD6q7FW3LC2VpG93WK5ojH55nGwj77pQtI857S838WY=;
        b=KllIvCPIBk55eXuHDJLVYkKizbVwo5sSXvO+qY8jNaJJi1c1cMQeJZZjDNTTE3qh4d
         wA9znapChMgfTUKjdO1J1LnFvFR0z5XKHtkdDQN4pV7KBe6XIxp9D1YCz5wZ19vjIzni
         l8AvbXb9dCLLZptKECSc59dj3bGjiDaFIaXEcC+q4Wl1WCee0z8X9Opvtw1gUW9T5JTO
         YaIJt0+B8biNV5fXHzJVqntN2nbmoSu9t4LRDvbTYLyZ3dgVmjib9yaqRtDlnQ3kPGsa
         Cw98PXZ44ws8KFuRCGXdlWOvGmzS501n8vn6OjQrF/GFBEzaMYrskD+2N0jf6RIwjYke
         icKQ==
MIME-Version: 1.0
X-Received: by 10.50.109.132 with SMTP id hs4mr915134igb.34.1387245820625;
 Mon, 16 Dec 2013 18:03:40 -0800 (PST)
Received: by 10.50.208.105 with HTTP; Mon, 16 Dec 2013 18:03:40 -0800 (PST)
In-Reply-To: <52AFABF7.60105@sugarcrm.com>
References: <CAH8Mpn=W6cuZtn5210+u7xZ+ejM22mk0Sq3tihbQ0qRtr-H=LA@mail.gmail.com>
	<52AFABF7.60105@sugarcrm.com>
Date: Mon, 16 Dec 2013 21:03:40 -0500
Message-ID: <CAH8MpnnuSh1RJ8=Ty8rhEqg1mfGdJD+hs63zm7jBR66iXYaVXg@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e013a1d905acb1a04edb156b6
Subject: Re: [PHP-DEV] [VOTE] TLS Peer Verification
From: rdlowrey@gmail.com (Daniel Lowrey)

--089e013a1d905acb1a04edb156b6
Content-Type: text/plain; charset=ISO-8859-1

Thanks for the input -- I'm just happy people are interested in the issue!

Let me address a couple of things ...

> you get essentially a configuration that can not use https at all

I wouldn't say this is the really the case. Users still have access to the
same https functionality they've always had. The only difference is that
they now must explicitly acknowledge that, "Yes, what I'm doing is
insecure. I'm aware of it and I choose to continue anyway by specifying
this context option."

> But it may be against the spirit of the RFC?

:) Yes ... that's kind of what I'm going for. Basically it's my thought
that many (most?) people using things like file_get_contents('https://')
are completely unaware of this issue in the first place. My thinking here
is that instead of not saying anything and just giving these users a false
sense of security we should at least make mention of the problem instead of
sweeping it under the rug.

> people would still ignore it

Almost certainly. In fact, users do this routinely with curl_* because they
don't know any better.

Finally, I think this problem can largely be alleviated with appropriate
documentation. Should the RFC pass I'll work to make sure that any peer
verification changes are *well-documented* to (hopefully) stem the
inevitable storm of bug reports.


On Mon, Dec 16, 2013 at 8:42 PM, Stas Malyshev <smalyshev@sugarcrm.com>wrote:

> Hi!
>
> > Please throw your votes at the TLS Peer Verification proposal:
> >
> > https://wiki.php.net/rfc/tls-peer-verification
> >
> > Voting closes Dec. 24 ... Happy Holidays!
>
> I'm not sure what to vote for here, because I like the ideas in the
> patch about having a setting for CAfile, which in many distros would by
> default enable peer verification and thus make you more secure, but I
> don't like the fact that when you compile PHP, you get essentially a
> configuration that can not use https at all, since you have no CA file
> configured.
> I'd like it more if there was an option where if you set cafile or
> capath, you get automatic peer verification, but if you don't, you do
> not have it. But it may be against the spirit of the RFC?
> I know you propose a warning in this case, but judging from the story of
> the datetime timezone warning, people would still ignore it. Also
> warning is not much help if for some reason you don't know where to get
> a cert file. And there's no way to disable peer verification on ini level.
> --
> Stanislav Malyshev, Software Architect
> SugarCRM: http://www.sugarcrm.com/
> (408)454-6900 ext. 227
>

--089e013a1d905acb1a04edb156b6--