Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:70723
Return-Path: <keisial@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 69183 invoked from network); 17 Dec 2013 23:42:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Dec 2013 23:42:16 -0000
Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.169 as permitted sender)
X-PHP-List-Original-Sender: keisial@gmail.com
X-Host-Fingerprint: 209.85.212.169 mail-wi0-f169.google.com  
Received: from [209.85.212.169] ([209.85.212.169:54368] helo=mail-wi0-f169.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 39/56-32483-651E0B25 for <internals@lists.php.net>; Tue, 17 Dec 2013 18:42:15 -0500
Received: by mail-wi0-f169.google.com with SMTP id hn6so4346398wib.0
        for <internals@lists.php.net>; Tue, 17 Dec 2013 15:42:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=lCUKHnmVL0Kl18UdVT0kvzUgSAkAsY3IGGtB78tys1g=;
        b=McqB+ySspSvu/V7xXSKtvbimCgq/fjsTsh2FueVYXZVsAYp56rme3Rkf4yEfmCwfqT
         YHcQAcXr04ctX50iHv5TavHN4CiZ26UP+Xvi50p7J+3HfrHh0LV2E0fEGrekIFT67FGu
         mzK7ie6uBbm2t5YOWz5Bnl22oBYXMhJChK3b92RjUTFLT518EtxrtMCe46Z0UtqSFSNn
         D5AcROzqzwefsvflRWQ8yNIyS5zXEl28N093UV4xGC0leZCo6OUHT82Qd0rYC+Ru7KiX
         d8eqvrdWTS0HafkvfTS0STSOc2HrgP72omLKuDjK4ePjoeavdLu4EMK/nEoOd1NLcKYW
         CF9A==
X-Received: by 10.194.57.243 with SMTP id l19mr14952846wjq.54.1387323731304;
        Tue, 17 Dec 2013 15:42:11 -0800 (PST)
Received: from [192.168.1.27] (117.Red-79-146-7.dynamicIP.rima-tde.net. [79.146.7.117])
        by mx.google.com with ESMTPSA id mz10sm38618246wic.2.2013.12.17.15.42.09
        for <multiple recipients>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Tue, 17 Dec 2013 15:42:10 -0800 (PST)
Message-ID: <52B0E151.6010608@gmail.com>
Date: Wed, 18 Dec 2013 00:42:09 +0100
User-Agent: Thunderbird
MIME-Version: 1.0
To: Ferenc Kovacs <tyra3l@gmail.com>
CC: Joe Watkins <pthreads@pthreads.org>, 
 PHP Internals <internals@lists.php.net>
References: <CAH8Mpn=W6cuZtn5210+u7xZ+ejM22mk0Sq3tihbQ0qRtr-H=LA@mail.gmail.com> <52AFABF7.60105@sugarcrm.com> <CAH8MpnnuSh1RJ8=Ty8rhEqg1mfGdJD+hs63zm7jBR66iXYaVXg@mail.gmail.com> <52B004E2.30607@php.net> <CAH-PCH6vYL6jmCd-D=3qxTV_pqP_-9Qd2rENGtDENfS8i=6Qiw@mail.gmail.com> <52B03511.8040603@php.net> <CAH-PCH7mUQOZgdkZtZJC=6ASWPk5cYSSzX0AJXWCKfuFrhJ3MA@mail.gmail.com> <52B03ADB.9050703@php.net> <52B07689.9010505@ajf.me> <52B07A6C.9090305@php.net> <CAH-PCH65BcWNkjdsG9UcOPZZk02qqpo=Av1=wTFct_Ptt5sT3A@mail.gmail.com> <52B091BF.7050200@pthreads.org> <CAH-PCH5MBiorG6XV1w8x0sp=ejAddx7G0wOLz-O1js=GEMQGqw@mail.gmail.com>
In-Reply-To: <CAH-PCH5MBiorG6XV1w8x0sp=ejAddx7G0wOLz-O1js=GEMQGqw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [VOTE] TLS Peer Verification
From: keisial@gmail.com (=?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?=)

On 17/12/13 19:20, Ferenc Kovacs wrote:
>> It's similar to saying that we shouldn't provide a default php.ini because
>> they are always always always overridden, everywhere.
> We are the php project, we are one of the best group of people to provide
> default php.ini settings.
> On the other hand we have 0 experience of managing root CA lists, and there
> are people out there already, who are already doing that (shipping CA
> bundle).
> A better example would be pspell: using it you need a dictionary, but we
> didn't ship that, we trust the user to have them.
>
>
>> It doesn't make sense to provide less than what is required for everything
>> to function properly, even if it's overridden that shouldn't be our
>> concern, we should just concern ourselves with distributing working source
>> code, as always, package maintenance is nothing to do with us.
>>
> CA bundle isn't source code, we don't need it, users to, it isn't necessary
> our job to provide them with, and most of the other project seems to put
> this "burden" to the user/distro.

It would be nice if the ca bundle wasn't provided in the same tarball. 
It can be done as two links for downloading php.

For maintenance, it would be nice to reuse an existing bundle (such as 
Debian ca-certificates or curl's).

At this point, the only thing needed is to add a link at 
http://www.php.net/downloads.php to download that existing file (and 
probably include it in php mirrors).


Finally, I would make php, in absence of|an openssl.cafile directive, to 
attempt finding it from a hardcoded path (set in configure)| to the 
usual location for the host, so setups with no php.ini or reusing an old 
php.ini still work .
Plus add a configure warning if it didn't find a proper file in such 
place. Eg.
***********************************************************************************************************
* Warning: No CA bundle was found in the location given by --cafile-path 
(/etc/ssl/certs/ca-certificates.crt) *
* SSL connections from PHP won't work unless a proper file is specified 
with|openssl.cafile in php.ini    *
|* See http://www.php.net/cafile for details.  
                                                                                                        *
***********************************************************************************************************