Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70719 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 27809 invoked from network); 17 Dec 2013 18:20:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Dec 2013 18:20:59 -0000 Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.54 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.128.54 mail-qe0-f54.google.com Received: from [209.85.128.54] ([209.85.128.54:42211] helo=mail-qe0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F7/C3-32483-A0690B25 for ; Tue, 17 Dec 2013 13:20:59 -0500 Received: by mail-qe0-f54.google.com with SMTP id cy11so5436736qeb.41 for ; Tue, 17 Dec 2013 10:20:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=lStbxWpYEVZu9D6NwtWEG70KrZ9MDY4VBFHtna3u8zI=; b=UMO3zHaF2RKMr1LcSFeUcbTHf628yhmLjMl6mjYK2/R+fa+7Tcwwup8a8ZgmJKkP9B +K2Liw8/PDmig7pC5eSPDoUsLnYMmjAyoLXoSWUadVUA7yRYBbKTSWrvT5EiznlSmFxR FSqZ3Zgn+Nx2wi/1t+Qof9F9RpHan+IF01Yapq+doPiAb4dLo667HUQ5XlN9D0ycXMk1 dJ4mzCmooiOG/7qeoj2iHSIssTo6I5ADcH+p3yNcjk03GxHWKhcuvMKZPceWVWJD09Si x6fPEufWu9Qt29mUglhGi2icUkuUKt9JIR2Jv53IcGtwiWvJEK08C8xY3X1998V7QbpO SmLA== MIME-Version: 1.0 X-Received: by 10.49.94.177 with SMTP id dd17mr45547917qeb.14.1387304456012; Tue, 17 Dec 2013 10:20:56 -0800 (PST) Received: by 10.140.37.179 with HTTP; Tue, 17 Dec 2013 10:20:55 -0800 (PST) In-Reply-To: <52B091BF.7050200@pthreads.org> References: <52AFABF7.60105@sugarcrm.com> <52B004E2.30607@php.net> <52B03511.8040603@php.net> <52B03ADB.9050703@php.net> <52B07689.9010505@ajf.me> <52B07A6C.9090305@php.net> <52B091BF.7050200@pthreads.org> Date: Tue, 17 Dec 2013 19:20:55 +0100 Message-ID: To: Joe Watkins , PHP Internals Content-Type: multipart/alternative; boundary=047d7b6731b24bc8cb04edbefdde Subject: Re: [PHP-DEV] [VOTE] TLS Peer Verification From: tyra3l@gmail.com (Ferenc Kovacs) --047d7b6731b24bc8cb04edbefdde Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, Dec 17, 2013 at 7:02 PM, Joe Watkins wrote: > On 12/17/2013 05:43 PM, Ferenc Kovacs wrote: > > > > > On Tue, Dec 17, 2013 at 5:23 PM, Joe Watkins wrote: > >> On 12/17/2013 04:06 PM, Andrea Faulds wrote: >> >>> >>> >>> On 17/12/13 11:51, Joe Watkins wrote: >>> >>>> I'm saying that we should, definitely, accept the patch; in this >>>> specific case we can fix the implementation or security issue without >>>> affecting behaviour, >>>> >>> >>> Unfortunately that's not true. To fix the security issue REQUIRES >>> affecting behaviour. Otherwise it's not fixed. >>> >>> >> If the CA file is present with verification enabled the vast majority >> of requests will execute as they do now, but securely. Most of the time,= no >> evident change. If the CA file is not present change is introduced, lots= of >> it. >> >> Changing the behaviour of the language from an internals perspective doe= s >> not and should not mean changing the behaviour of code unless that is th= e >> intention behind the change, obviously. >> >> >> Cheers >> Joe >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > Yes, as I mentioned shipping a CA file would help some users (we can only > guess here, but I think most users would be using the shared CA bundle fr= om > their distro, and only a small percentage would use the one that we > provided). > > On the other hand everybody else apart from the browsers seems to be > trying to *not* ship their own CA bundle anymore. > Python doesn't ship one (even though it was requested: > http://bugs.python.org/issue13655) > Ruby doesn't ship one. > Java has it's own: > http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html= distros try to wrap that away, which can cause bugs like this: > https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/92075= 8 > Perl doesn't ship one, but has multiple cpan modules which provide CA > bundles. > > I stopped looking, but I really think that we should refrain from > shipping a CA bundle and take the burden of maintenance to ourselves. > > -- > Ferenc Kov=C3=A1cs > @Tyr43l - http://tyrael.hu > > > I'm not sure it's really relevant; since we don't know what position they > were in when they started to reference the CA file properly. > Not sure what you are trying to say here. > This is the strange way round to do it, it would be a no brainer if we > were just introducing the support for ssl requests, but we're not. > Yeah, then it wouldn't be a BC. > > It's similar to saying that we shouldn't provide a default php.ini becaus= e > they are always always always overridden, everywhere. > We are the php project, we are one of the best group of people to provide default php.ini settings. On the other hand we have 0 experience of managing root CA lists, and there are people out there already, who are already doing that (shipping CA bundle). A better example would be pspell: using it you need a dictionary, but we didn't ship that, we trust the user to have them. > It doesn't make sense to provide less than what is required for everythin= g > to function properly, even if it's overridden that shouldn't be our > concern, we should just concern ourselves with distributing working sourc= e > code, as always, package maintenance is nothing to do with us. > CA bundle isn't source code, we don't need it, users to, it isn't necessary our job to provide them with, and most of the other project seems to put this "burden" to the user/distro. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --047d7b6731b24bc8cb04edbefdde--