Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:70801
Return-Path: <swhitemanlistens-software@cypressintegrated.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 48581 invoked from network); 21 Dec 2013 04:00:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Dec 2013 04:00:06 -0000
Authentication-Results: pb1.pair.com header.from=swhitemanlistens-software@cypressintegrated.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=swhitemanlistens-software@cypressintegrated.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain cypressintegrated.com designates 173.1.104.101 as permitted sender)
X-PHP-List-Original-Sender: swhitemanlistens-software@cypressintegrated.com
X-Host-Fingerprint: 173.1.104.101 rproxy2-b-iv.figureone.com  
Received: from [173.1.104.101] ([173.1.104.101:50715] helo=rproxy2-b-iv.figureone.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EC/00-47394-F3215B25 for <internals@lists.php.net>; Fri, 20 Dec 2013 23:00:00 -0500
Received: from [192.168.0.2] ([184.207.8.231])
        by rproxy2-b-iv.figureone.com (Brand New Heavy v1.0) with ASMTP id GPC28851
        for <internals@lists.php.net>; Fri, 20 Dec 2013 19:59:51 -0800
Date: Fri, 20 Dec 2013 22:59:22 -0500
Reply-To: Sanford Whiteman <swhitemanlistens-software@cypressintegrated.com>
X-Priority: 3 (Normal)
Message-ID: <16710166888.20131220225922@cypressintegrated.com>
To: Daniel Lowrey <internals@lists.php.net>
In-Reply-To: <CAH8Mpnktptu7NTfGGw8oM3me9KDvfWO8XY5L1wnE3rwwKnjcUw@mail.gmail.com>
References: <CAH8Mpnktptu7NTfGGw8oM3me9KDvfWO8XY5L1wnE3rwwKnjcUw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [UPDATE] [VOTE] TLS Peer Verification
From: swhitemanlistens-software@cypressintegrated.com (Sanford Whiteman)

> The patch has been improved to obviate any need for manual CA management by
> PHP itself. The new implementation takes advantage of OS and distro-managed
> CA stores. As a result, users with a distro-packaged PHP version will see
> most existing code work without any modifications while retaining control
> of the implementation on a case-by-case basis.

I'm unclear on how this change affects Windows installations, and I
suspect it's not in a good way (though I could be missing something).

The PHP WPI package provided and supported by Microsoft for IIS 7+
integration (which installs core PHP 5.4 -- 32-bit at this time -- and
configures FastCGI) comes with OpenSSL enabled but doesn't seem to
come with a trusted CA bundle that I can detect. If a PHP 5.6 WPI
comes out with no new frills, there will be problems.

The Windows CAPI store exists, of course, but I don't expect PHP is
going to start be using clunkers like
http://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-system-certificate-store
(right?). Or, if so, can we vouch for the cross-platform performance? 

-- Sandy