Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:70701
Return-Path: <rdlowrey@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 59739 invoked from network); 17 Dec 2013 12:09:00 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Dec 2013 12:09:00 -0000
Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.171 as permitted sender)
X-PHP-List-Original-Sender: rdlowrey@gmail.com
X-Host-Fingerprint: 209.85.223.171 mail-ie0-f171.google.com  
Received: from [209.85.223.171] ([209.85.223.171:47840] helo=mail-ie0-f171.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CB/3C-32483-ADE30B25 for <internals@lists.php.net>; Tue, 17 Dec 2013 07:08:58 -0500
Received: by mail-ie0-f171.google.com with SMTP id ar20so8232054iec.2
        for <internals@lists.php.net>; Tue, 17 Dec 2013 04:08:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Z+XGi7gfZ1HfAvfzDaufB3ww9slGUbhspOex1/ZwGEI=;
        b=ISkezmEHA96jVLjSkX269Pgf6vwy0qFBd0twPQtsyzZq4m22PnMZxyNjILgJn33zxQ
         ZTI8F4Btyzt07xmukNn0RCy1pEU2JZZ3tkJ6YktOrs6bP3oRACvGkrzC7YVcc/GW3Y3y
         bSIFVIK8nSHgn+G7JQ29FwWZok13YSgElBjT9/DR+kMiPlIs6u3fiyE8mzmYhYeZtURa
         pna5s1XRccMQ7cnB4HKZsuYb1QrxjQk0ETzxD4azTwzCeGQmWx9d11C1eJZu/iPyJa7j
         qUDmCxn869WDUviMt6hktNqR6KwnPDM4uoqMKBX0MG7xGH+UPfWNduipl9BxtZY6pXUR
         mkEw==
MIME-Version: 1.0
X-Received: by 10.43.137.71 with SMTP id in7mr15150icc.97.1387282135504; Tue,
 17 Dec 2013 04:08:55 -0800 (PST)
Received: by 10.50.208.105 with HTTP; Tue, 17 Dec 2013 04:08:55 -0800 (PST)
In-Reply-To: <CAH-PCH6vYL6jmCd-D=3qxTV_pqP_-9Qd2rENGtDENfS8i=6Qiw@mail.gmail.com>
References: <CAH8Mpn=W6cuZtn5210+u7xZ+ejM22mk0Sq3tihbQ0qRtr-H=LA@mail.gmail.com>
	<52AFABF7.60105@sugarcrm.com>
	<CAH8MpnnuSh1RJ8=Ty8rhEqg1mfGdJD+hs63zm7jBR66iXYaVXg@mail.gmail.com>
	<52B004E2.30607@php.net>
	<CAH-PCH6vYL6jmCd-D=3qxTV_pqP_-9Qd2rENGtDENfS8i=6Qiw@mail.gmail.com>
Date: Tue, 17 Dec 2013 07:08:55 -0500
Message-ID: <CAH8Mpnnbdn+hXw5R=m-qWexOmgR3+deSEE5a0vKhOQ=Rjf5egw@mail.gmail.com>
To: Ferenc Kovacs <tyra3l@gmail.com>
Cc: Joe Watkins <krakjoe@php.net>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c25428e406ed04edb9caa4
Subject: Re: [PHP-DEV] [VOTE] TLS Peer Verification
From: rdlowrey@gmail.com (Daniel Lowrey)

--001a11c25428e406ed04edb9caa4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

> given that this is a security related change, one could argue that
security
> fixes should be ok to go in a minor version, even if they break BC.

This was my thought process. In my mind the RFC is about improving security
for users who don't know any better. I'm hoping to avoid the "Are we
allowed to break BC?" discussion.

Adding a CA file to the distribution is exceedingly simple, but this is not
a silver bullet. For example, the Mozilla CA file used by cURL is usually
updated three or four times a year. Even when bundling a CA file it would
only be a matter of time before a distribution's version was out of date.
In the end we can only do so much before users must bear the weight of
maintaining an acceptable level of security themselves.




On Tue, Dec 17, 2013 at 5:58 AM, Ferenc Kovacs <tyra3l@gmail.com> wrote:

>
>
>
> On Tue, Dec 17, 2013 at 9:01 AM, Joe Watkins <krakjoe@php.net> wrote:
>
>> On 12/17/2013 02:03 AM, Daniel Lowrey wrote:
>>
>>> Thanks for the input -- I'm just happy people are interested in the
>>> issue!
>>>
>>> Let me address a couple of things ...
>>>
>>>  you get essentially a configuration that can not use https at all
>>>>
>>>
>>> I wouldn't say this is the really the case. Users still have access to
>>> the
>>> same https functionality they've always had. The only difference is tha=
t
>>> they now must explicitly acknowledge that, "Yes, what I'm doing is
>>> insecure. I'm aware of it and I choose to continue anyway by specifying
>>> this context option."
>>>
>>>  But it may be against the spirit of the RFC?
>>>>
>>>
>>> :) Yes ... that's kind of what I'm going for. Basically it's my thought
>>> that many (most?) people using things like file_get_contents('https://'=
)
>>> are completely unaware of this issue in the first place. My thinking he=
re
>>> is that instead of not saying anything and just giving these users a
>>> false
>>> sense of security we should at least make mention of the problem instea=
d
>>> of
>>> sweeping it under the rug.
>>>
>>>  people would still ignore it
>>>>
>>>
>>> Almost certainly. In fact, users do this routinely with curl_* because
>>> they
>>> don't know any better.
>>>
>>> Finally, I think this problem can largely be alleviated with appropriat=
e
>>> documentation. Should the RFC pass I'll work to make sure that any peer
>>> verification changes are *well-documented* to (hopefully) stem the
>>> inevitable storm of bug reports.
>>>
>>>
>>> On Mon, Dec 16, 2013 at 8:42 PM, Stas Malyshev <smalyshev@sugarcrm.com
>>> >wrote:
>>>
>>>  Hi!
>>>>
>>>>  Please throw your votes at the TLS Peer Verification proposal:
>>>>>
>>>>> https://wiki.php.net/rfc/tls-peer-verification
>>>>>
>>>>> Voting closes Dec. 24 ... Happy Holidays!
>>>>>
>>>>
>>>> I'm not sure what to vote for here, because I like the ideas in the
>>>> patch about having a setting for CAfile, which in many distros would b=
y
>>>> default enable peer verification and thus make you more secure, but I
>>>> don't like the fact that when you compile PHP, you get essentially a
>>>> configuration that can not use https at all, since you have no CA file
>>>> configured.
>>>> I'd like it more if there was an option where if you set cafile or
>>>> capath, you get automatic peer verification, but if you don't, you do
>>>> not have it. But it may be against the spirit of the RFC?
>>>> I know you propose a warning in this case, but judging from the story =
of
>>>> the datetime timezone warning, people would still ignore it. Also
>>>> warning is not much help if for some reason you don't know where to ge=
t
>>>> a cert file. And there's no way to disable peer verification on ini
>>>> level.
>>>> --
>>>> Stanislav Malyshev, Software Architect
>>>> SugarCRM: http://www.sugarcrm.com/
>>>> (408)454-6900 ext. 227
>>>>
>>>>
>>>
>> Morning Internalz,
>>
>>         Daniel, you have to assume that nobody will even read the manual=
;
>> because they will not. I'm up for making it safer, but not for breaking
>> anything at all in a minor version, if we do not bundle the CA file it
>> would appear to break a bunch of requests that previously worked, that
>> doesn't seem good enough to me.
>>         We can change the behaviour of the engine, but we cannot change
>> the behaviour of users code; if a requests works now, regardless of it's
>> security, it must continue to work with the default settings, therefore,=
 I
>> suggest that you remove the option to change the behaviour of the engine
>> without maintaining the behaviour of users code, if the aim is to make
>> these requests more secure by default, then allowing it to fail, by any
>> means, defeats the object of making any changes at all.
>>
>>         If I'm wrong, tell me how :)
>>
>> Cheers
>> Joe
>>
>>
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> I'm not taking sides, but given that this is a security related change,
> one could argue that security fixes should be ok to go in a minor version=
,
> even if they break BC.
>
> --
> Ferenc Kov=E1cs
> @Tyr43l - http://tyrael.hu
>

--001a11c25428e406ed04edb9caa4--