Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70702 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61081 invoked from network); 17 Dec 2013 12:10:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Dec 2013 12:10:10 -0000 Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.179 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.213.179 mail-ig0-f179.google.com Received: from [209.85.213.179] ([209.85.213.179:47441] helo=mail-ig0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7D/7C-32483-12F30B25 for ; Tue, 17 Dec 2013 07:10:10 -0500 Received: by mail-ig0-f179.google.com with SMTP id hk11so6180430igb.0 for ; Tue, 17 Dec 2013 04:10:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fTFlLj7Ey0l2BWVENEMutwYMtrJIEXGQ+FAODRBjvOc=; b=T+iC0nAQqquMX9+PunLItPxACZTdZUKGcTPHkIPkeNKc+YU4N8vrxo2INZ1TVmCP+P DALTE/wblwBHVaCHlEM4o6L2FPZn6xxWf1VBzaYzogX2EZ6XNwFJH5hZYnd7Z+nymho6 +Dy2ZP4J9KIk/HuAP6ZjiFKzcoYpshVf7PwLIYyBUNv4wnDW12bFIKQJBXaGfXd+5kb3 yL+qATG7XeK0l3q8yEzcmO/JdSzS9u3Ea9prHcl/BSBFaJECwn2Kkjgpfs0EBPhEHArP c/7vWWqxzMpKJJ7dxRD4ivAGGCGUiSUNZcKBkUiHNz4Cggk9cvxkmEm2k1lMXFFDwV6B FDOA== MIME-Version: 1.0 X-Received: by 10.50.134.99 with SMTP id pj3mr2771421igb.14.1387282206274; Tue, 17 Dec 2013 04:10:06 -0800 (PST) Received: by 10.50.208.105 with HTTP; Tue, 17 Dec 2013 04:10:06 -0800 (PST) In-Reply-To: References: <52AFABF7.60105@sugarcrm.com> <52B004E2.30607@php.net> Date: Tue, 17 Dec 2013 07:10:06 -0500 Message-ID: To: Ferenc Kovacs Cc: Joe Watkins , PHP Internals Content-Type: multipart/alternative; boundary=047d7b41402e1bc95404edb9cfc9 Subject: Re: [PHP-DEV] [VOTE] TLS Peer Verification From: rdlowrey@gmail.com (Daniel Lowrey) --047d7b41402e1bc95404edb9cfc9 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I've been asked to extend the voting period by a week because: holidays. So instead of Dec. 24 the voting period will now end on Dec. 31. On Tue, Dec 17, 2013 at 7:08 AM, Daniel Lowrey wrote: > > given that this is a security related change, one could argue that > security > > fixes should be ok to go in a minor version, even if they break BC. > > This was my thought process. In my mind the RFC is about improving > security for users who don't know any better. I'm hoping to avoid the "Ar= e > we allowed to break BC?" discussion. > > Adding a CA file to the distribution is exceedingly simple, but this is > not a silver bullet. For example, the Mozilla CA file used by cURL is > usually updated three or four times a year. Even when bundling a CA file = it > would only be a matter of time before a distribution's version was out of > date. In the end we can only do so much before users must bear the weight > of maintaining an acceptable level of security themselves. > > > > > On Tue, Dec 17, 2013 at 5:58 AM, Ferenc Kovacs wrote: > >> >> >> >> On Tue, Dec 17, 2013 at 9:01 AM, Joe Watkins wrote: >> >>> On 12/17/2013 02:03 AM, Daniel Lowrey wrote: >>> >>>> Thanks for the input -- I'm just happy people are interested in the >>>> issue! >>>> >>>> Let me address a couple of things ... >>>> >>>> you get essentially a configuration that can not use https at all >>>>> >>>> >>>> I wouldn't say this is the really the case. Users still have access to >>>> the >>>> same https functionality they've always had. The only difference is th= at >>>> they now must explicitly acknowledge that, "Yes, what I'm doing is >>>> insecure. I'm aware of it and I choose to continue anyway by specifyin= g >>>> this context option." >>>> >>>> But it may be against the spirit of the RFC? >>>>> >>>> >>>> :) Yes ... that's kind of what I'm going for. Basically it's my though= t >>>> that many (most?) people using things like file_get_contents('https:// >>>> ') >>>> are completely unaware of this issue in the first place. My thinking >>>> here >>>> is that instead of not saying anything and just giving these users a >>>> false >>>> sense of security we should at least make mention of the problem >>>> instead of >>>> sweeping it under the rug. >>>> >>>> people would still ignore it >>>>> >>>> >>>> Almost certainly. In fact, users do this routinely with curl_* because >>>> they >>>> don't know any better. >>>> >>>> Finally, I think this problem can largely be alleviated with appropria= te >>>> documentation. Should the RFC pass I'll work to make sure that any pee= r >>>> verification changes are *well-documented* to (hopefully) stem the >>>> inevitable storm of bug reports. >>>> >>>> >>>> On Mon, Dec 16, 2013 at 8:42 PM, Stas Malyshev >>> >wrote: >>>> >>>> Hi! >>>>> >>>>> Please throw your votes at the TLS Peer Verification proposal: >>>>>> >>>>>> https://wiki.php.net/rfc/tls-peer-verification >>>>>> >>>>>> Voting closes Dec. 24 ... Happy Holidays! >>>>>> >>>>> >>>>> I'm not sure what to vote for here, because I like the ideas in the >>>>> patch about having a setting for CAfile, which in many distros would = by >>>>> default enable peer verification and thus make you more secure, but I >>>>> don't like the fact that when you compile PHP, you get essentially a >>>>> configuration that can not use https at all, since you have no CA fil= e >>>>> configured. >>>>> I'd like it more if there was an option where if you set cafile or >>>>> capath, you get automatic peer verification, but if you don't, you do >>>>> not have it. But it may be against the spirit of the RFC? >>>>> I know you propose a warning in this case, but judging from the story >>>>> of >>>>> the datetime timezone warning, people would still ignore it. Also >>>>> warning is not much help if for some reason you don't know where to g= et >>>>> a cert file. And there's no way to disable peer verification on ini >>>>> level. >>>>> -- >>>>> Stanislav Malyshev, Software Architect >>>>> SugarCRM: http://www.sugarcrm.com/ >>>>> (408)454-6900 ext. 227 >>>>> >>>>> >>>> >>> Morning Internalz, >>> >>> Daniel, you have to assume that nobody will even read the >>> manual; because they will not. I'm up for making it safer, but not for >>> breaking anything at all in a minor version, if we do not bundle the CA >>> file it would appear to break a bunch of requests that previously worke= d, >>> that doesn't seem good enough to me. >>> We can change the behaviour of the engine, but we cannot change >>> the behaviour of users code; if a requests works now, regardless of it'= s >>> security, it must continue to work with the default settings, therefore= , I >>> suggest that you remove the option to change the behaviour of the engin= e >>> without maintaining the behaviour of users code, if the aim is to make >>> these requests more secure by default, then allowing it to fail, by any >>> means, defeats the object of making any changes at all. >>> >>> If I'm wrong, tell me how :) >>> >>> Cheers >>> Joe >>> >>> >>> -- >>> PHP Internals - PHP Runtime Development Mailing List >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> I'm not taking sides, but given that this is a security related change, >> one could argue that security fixes should be ok to go in a minor versio= n, >> even if they break BC. >> >> -- >> Ferenc Kov=E1cs >> @Tyr43l - http://tyrael.hu >> > > --047d7b41402e1bc95404edb9cfc9--