Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:70697
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 46044 invoked from network); 17 Dec 2013 10:58:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Dec 2013 10:58:47 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.46 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.128.46 mail-qe0-f46.google.com  
Received: from [209.85.128.46] ([209.85.128.46:57494] helo=mail-qe0-f46.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 63/CA-32483-46E20B25 for <internals@lists.php.net>; Tue, 17 Dec 2013 05:58:44 -0500
Received: by mail-qe0-f46.google.com with SMTP id a11so4900397qen.19
        for <internals@lists.php.net>; Tue, 17 Dec 2013 02:58:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=618sRxNPFAqgk/hmDeDuxb9UrwUIGmN0v37qrpN7FLg=;
        b=i0hThn2yTEdF491eD3JQU2Svb9bfEZ6pjz0BsN3Dd1GXET0uUkd4b7tZw4+M/bCIop
         Llg0JN/dAcMW5A1OhpvskdVWynNOZ9ycXBNPJP1aIrngns5HQwRsyW7tyIAz4yA0idoV
         ChEfKmXnq8gS+lc/dkpX1+DiKEHT5wzqehocB1tmbgXKOzUv1/ji3uUfFUWrIMoNNGYD
         Zi20GZe50i2ZxtRQjZl188idXk4tnV5/OXsVBSXsywtN/jOoc3cLGqxnalPDRMCAUCzY
         SonSGVodaUU2MseCH3V9ysmA/VNAEq8OUlQxeOQoJc/aGmV48tG47h/Lz2eF6soLhOeO
         2M6g==
MIME-Version: 1.0
X-Received: by 10.224.47.137 with SMTP id n9mr41983339qaf.47.1387277921423;
 Tue, 17 Dec 2013 02:58:41 -0800 (PST)
Received: by 10.140.37.179 with HTTP; Tue, 17 Dec 2013 02:58:41 -0800 (PST)
In-Reply-To: <52B004E2.30607@php.net>
References: <CAH8Mpn=W6cuZtn5210+u7xZ+ejM22mk0Sq3tihbQ0qRtr-H=LA@mail.gmail.com>
	<52AFABF7.60105@sugarcrm.com>
	<CAH8MpnnuSh1RJ8=Ty8rhEqg1mfGdJD+hs63zm7jBR66iXYaVXg@mail.gmail.com>
	<52B004E2.30607@php.net>
Date: Tue, 17 Dec 2013 11:58:41 +0100
Message-ID: <CAH-PCH6vYL6jmCd-D=3qxTV_pqP_-9Qd2rENGtDENfS8i=6Qiw@mail.gmail.com>
To: Joe Watkins <krakjoe@php.net>
Cc: PHP Internals <internals@lists.php.net>, Daniel Lowrey <rdlowrey@gmail.com>
Content-Type: multipart/alternative; boundary=001a1130d202b616d804edb8cffc
Subject: Re: [PHP-DEV] [VOTE] TLS Peer Verification
From: tyra3l@gmail.com (Ferenc Kovacs)

--001a1130d202b616d804edb8cffc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 17, 2013 at 9:01 AM, Joe Watkins <krakjoe@php.net> wrote:

> On 12/17/2013 02:03 AM, Daniel Lowrey wrote:
>
>> Thanks for the input -- I'm just happy people are interested in the issu=
e!
>>
>> Let me address a couple of things ...
>>
>>  you get essentially a configuration that can not use https at all
>>>
>>
>> I wouldn't say this is the really the case. Users still have access to t=
he
>> same https functionality they've always had. The only difference is that
>> they now must explicitly acknowledge that, "Yes, what I'm doing is
>> insecure. I'm aware of it and I choose to continue anyway by specifying
>> this context option."
>>
>>  But it may be against the spirit of the RFC?
>>>
>>
>> :) Yes ... that's kind of what I'm going for. Basically it's my thought
>> that many (most?) people using things like file_get_contents('https://')
>> are completely unaware of this issue in the first place. My thinking her=
e
>> is that instead of not saying anything and just giving these users a fal=
se
>> sense of security we should at least make mention of the problem instead
>> of
>> sweeping it under the rug.
>>
>>  people would still ignore it
>>>
>>
>> Almost certainly. In fact, users do this routinely with curl_* because
>> they
>> don't know any better.
>>
>> Finally, I think this problem can largely be alleviated with appropriate
>> documentation. Should the RFC pass I'll work to make sure that any peer
>> verification changes are *well-documented* to (hopefully) stem the
>> inevitable storm of bug reports.
>>
>>
>> On Mon, Dec 16, 2013 at 8:42 PM, Stas Malyshev <smalyshev@sugarcrm.com
>> >wrote:
>>
>>  Hi!
>>>
>>>  Please throw your votes at the TLS Peer Verification proposal:
>>>>
>>>> https://wiki.php.net/rfc/tls-peer-verification
>>>>
>>>> Voting closes Dec. 24 ... Happy Holidays!
>>>>
>>>
>>> I'm not sure what to vote for here, because I like the ideas in the
>>> patch about having a setting for CAfile, which in many distros would by
>>> default enable peer verification and thus make you more secure, but I
>>> don't like the fact that when you compile PHP, you get essentially a
>>> configuration that can not use https at all, since you have no CA file
>>> configured.
>>> I'd like it more if there was an option where if you set cafile or
>>> capath, you get automatic peer verification, but if you don't, you do
>>> not have it. But it may be against the spirit of the RFC?
>>> I know you propose a warning in this case, but judging from the story o=
f
>>> the datetime timezone warning, people would still ignore it. Also
>>> warning is not much help if for some reason you don't know where to get
>>> a cert file. And there's no way to disable peer verification on ini
>>> level.
>>> --
>>> Stanislav Malyshev, Software Architect
>>> SugarCRM: http://www.sugarcrm.com/
>>> (408)454-6900 ext. 227
>>>
>>>
>>
> Morning Internalz,
>
>         Daniel, you have to assume that nobody will even read the manual;
> because they will not. I'm up for making it safer, but not for breaking
> anything at all in a minor version, if we do not bundle the CA file it
> would appear to break a bunch of requests that previously worked, that
> doesn't seem good enough to me.
>         We can change the behaviour of the engine, but we cannot change
> the behaviour of users code; if a requests works now, regardless of it's
> security, it must continue to work with the default settings, therefore, =
I
> suggest that you remove the option to change the behaviour of the engine
> without maintaining the behaviour of users code, if the aim is to make
> these requests more secure by default, then allowing it to fail, by any
> means, defeats the object of making any changes at all.
>
>         If I'm wrong, tell me how :)
>
> Cheers
> Joe
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
I'm not taking sides, but given that this is a security related change, one
could argue that security fixes should be ok to go in a minor version, even
if they break BC.

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--001a1130d202b616d804edb8cffc--