Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70699 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 53614 invoked from network); 17 Dec 2013 11:40:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Dec 2013 11:40:34 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.44 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.128.44 mail-qe0-f44.google.com Received: from [209.85.128.44] ([209.85.128.44:35295] helo=mail-qe0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 61/8B-32483-13830B25 for ; Tue, 17 Dec 2013 06:40:34 -0500 Received: by mail-qe0-f44.google.com with SMTP id nd7so4998435qeb.17 for ; Tue, 17 Dec 2013 03:40:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=AKP71V64/XqnoV7QL3KNw+07rQnmAYFjtb69oYAPv4A=; b=T8LXw7t0BHaucojq/KKRNShj8rbqisivNWMcewseNnz6+qalPnDqiQCZULvfAzFnJy sougZg9cJHgAsjCa5ySYxJoSiVgvlfUv9ZAyxUwerE9SfxcY1l0RN3+6subZ1y7QYITf favuRUVLr9lIAK0ZpSTbh3jALvdQrq70vjgXYj9odbOvfWKlwe0mwwHCmiZC0wPlDDI6 g1W3qVgqAt4T761G7JDkD/rXyzy9Vga9H9AVea+8Oo1gDUcqz2pcQppXrN3uPouGg+rK Mcf+JgXgJhogahXaZanbd3SkB4+2p/8dIArRuWcMxnzSbT0Xnk4E7kniS3Sag49xlAkd Zk4w== MIME-Version: 1.0 X-Received: by 10.49.25.109 with SMTP id b13mr42044156qeg.3.1387280431004; Tue, 17 Dec 2013 03:40:31 -0800 (PST) Received: by 10.140.37.179 with HTTP; Tue, 17 Dec 2013 03:40:30 -0800 (PST) In-Reply-To: <52B03511.8040603@php.net> References: <52AFABF7.60105@sugarcrm.com> <52B004E2.30607@php.net> <52B03511.8040603@php.net> Date: Tue, 17 Dec 2013 12:40:30 +0100 Message-ID: To: Joe Watkins Cc: PHP Internals Content-Type: multipart/alternative; boundary=047d7b677f1e4b42b504edb9659f Subject: Re: [PHP-DEV] [VOTE] TLS Peer Verification From: tyra3l@gmail.com (Ferenc Kovacs) --047d7b677f1e4b42b504edb9659f Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, Dec 17, 2013 at 12:27 PM, Joe Watkins wrote: > On 12/17/2013 10:58 AM, Ferenc Kovacs wrote: > >> On Tue, Dec 17, 2013 at 9:01 AM, Joe Watkins wrote: >> >> On 12/17/2013 02:03 AM, Daniel Lowrey wrote: >>> >>> Thanks for the input -- I'm just happy people are interested in the >>>> issue! >>>> >>>> Let me address a couple of things ... >>>> >>>> you get essentially a configuration that can not use https at all >>>> >>>>> >>>>> >>>> I wouldn't say this is the really the case. Users still have access to >>>> the >>>> same https functionality they've always had. The only difference is th= at >>>> they now must explicitly acknowledge that, "Yes, what I'm doing is >>>> insecure. I'm aware of it and I choose to continue anyway by specifyin= g >>>> this context option." >>>> >>>> But it may be against the spirit of the RFC? >>>> >>>>> >>>>> >>>> :) Yes ... that's kind of what I'm going for. Basically it's my though= t >>>> that many (most?) people using things like file_get_contents('https:// >>>> ') >>>> are completely unaware of this issue in the first place. My thinking >>>> here >>>> is that instead of not saying anything and just giving these users a >>>> false >>>> sense of security we should at least make mention of the problem inste= ad >>>> of >>>> sweeping it under the rug. >>>> >>>> people would still ignore it >>>> >>>>> >>>>> >>>> Almost certainly. In fact, users do this routinely with curl_* because >>>> they >>>> don't know any better. >>>> >>>> Finally, I think this problem can largely be alleviated with appropria= te >>>> documentation. Should the RFC pass I'll work to make sure that any pee= r >>>> verification changes are *well-documented* to (hopefully) stem the >>>> inevitable storm of bug reports. >>>> >>>> >>>> On Mon, Dec 16, 2013 at 8:42 PM, Stas Malyshev >>> >>>>> wrote: >>>>> >>>> >>>> Hi! >>>> >>>>> >>>>> Please throw your votes at the TLS Peer Verification proposal: >>>>> >>>>>> >>>>>> https://wiki.php.net/rfc/tls-peer-verification >>>>>> >>>>>> Voting closes Dec. 24 ... Happy Holidays! >>>>>> >>>>>> >>>>> I'm not sure what to vote for here, because I like the ideas in the >>>>> patch about having a setting for CAfile, which in many distros would = by >>>>> default enable peer verification and thus make you more secure, but I >>>>> don't like the fact that when you compile PHP, you get essentially a >>>>> configuration that can not use https at all, since you have no CA fil= e >>>>> configured. >>>>> I'd like it more if there was an option where if you set cafile or >>>>> capath, you get automatic peer verification, but if you don't, you do >>>>> not have it. But it may be against the spirit of the RFC? >>>>> I know you propose a warning in this case, but judging from the story >>>>> of >>>>> the datetime timezone warning, people would still ignore it. Also >>>>> warning is not much help if for some reason you don't know where to g= et >>>>> a cert file. And there's no way to disable peer verification on ini >>>>> level. >>>>> -- >>>>> Stanislav Malyshev, Software Architect >>>>> SugarCRM: http://www.sugarcrm.com/ >>>>> (408)454-6900 ext. 227 >>>>> >>>>> >>>>> >>>> Morning Internalz, >>> >>> Daniel, you have to assume that nobody will even read the >>> manual; >>> because they will not. I'm up for making it safer, but not for breaking >>> anything at all in a minor version, if we do not bundle the CA file it >>> would appear to break a bunch of requests that previously worked, that >>> doesn't seem good enough to me. >>> We can change the behaviour of the engine, but we cannot chang= e >>> the behaviour of users code; if a requests works now, regardless of it'= s >>> security, it must continue to work with the default settings, therefore= , >>> I >>> suggest that you remove the option to change the behaviour of the engin= e >>> without maintaining the behaviour of users code, if the aim is to make >>> these requests more secure by default, then allowing it to fail, by any >>> means, defeats the object of making any changes at all. >>> >>> If I'm wrong, tell me how :) >>> >>> Cheers >>> Joe >>> >>> >>> -- >>> PHP Internals - PHP Runtime Development Mailing List >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >>> I'm not taking sides, but given that this is a security related change= , >> one >> could argue that security fixes should be ok to go in a minor version, >> even >> if they break BC. >> >> Tyrael, > > Okay, but there's no good reason not to implement the fix in the > most backward compatible manner in the first place; breaking BC doesn't > make it any more secure, it just breaks shit. > Additionally when you consider the context, this is not affecting > the behaviour of some rarely used functionality, it would be reckless to > change it's behaviour when retaining compatibly is no problem at all. > > Cheers > Joe > Hi Joe, As I mentioned, I'm not saying that we should accept the proposal, I only replied because you stated that "I'm up for making it safer, but not for breaking anything at all in a minor version, if we do not bundle the CA file it would appear to break a bunch of requests that previously worked, that doesn't seem good enough to me." Ofc. I also would prefer if we could improve the situation without introducing a BC break in a minor version. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --047d7b677f1e4b42b504edb9659f--