Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:70717
Return-Path: <krakjoe@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 13371 invoked from network); 17 Dec 2013 16:23:12 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Dec 2013 16:23:12 -0000
X-Host-Fingerprint: 80.4.21.210 cpc22-asfd3-2-0-cust209.1-2.cable.virginm.net  
Received: from [80.4.21.210] ([80.4.21.210:13844] helo=localhost.localdomain)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BC/C2-32483-F6A70B25 for <ajf@ajf.me>; Tue, 17 Dec 2013 11:23:11 -0500
To: internals@lists.php.net,Andrea Faulds <ajf@ajf.me>
Message-ID: <52B07A6C.9090305@php.net>
Date: Tue, 17 Dec 2013 16:23:08 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130625 Thunderbird/17.0.7
MIME-Version: 1.0
References: <CAH8Mpn=W6cuZtn5210+u7xZ+ejM22mk0Sq3tihbQ0qRtr-H=LA@mail.gmail.com> <52AFABF7.60105@sugarcrm.com> <CAH8MpnnuSh1RJ8=Ty8rhEqg1mfGdJD+hs63zm7jBR66iXYaVXg@mail.gmail.com> <52B004E2.30607@php.net> <CAH-PCH6vYL6jmCd-D=3qxTV_pqP_-9Qd2rENGtDENfS8i=6Qiw@mail.gmail.com> <52B03511.8040603@php.net> <CAH-PCH7mUQOZgdkZtZJC=6ASWPk5cYSSzX0AJXWCKfuFrhJ3MA@mail.gmail.com> <52B03ADB.9050703@php.net> <52B07689.9010505@ajf.me>
In-Reply-To: <52B07689.9010505@ajf.me>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Posted-By: 80.4.21.210
Subject: Re: [PHP-DEV] [VOTE] TLS Peer Verification
From: krakjoe@php.net (Joe Watkins)

On 12/17/2013 04:06 PM, Andrea Faulds wrote:
>
>
> On 17/12/13 11:51, Joe Watkins wrote:
>>      I'm saying that we should, definitely, accept the patch; in this
>> specific case we can fix the implementation or security issue without
>> affecting behaviour,
>
> Unfortunately that's not true. To fix the security issue REQUIRES
> affecting behaviour. Otherwise it's not fixed.
>

If the CA file is present with verification enabled the vast majority of 
requests will execute as they do now, but securely. Most of the time, no 
evident change. If the CA file is not present change is introduced, lots 
of it.

Changing the behaviour of the language from an internals perspective 
does not and should not mean changing the behaviour of code unless that 
is the intention behind the change, obviously.

Cheers
Joe