Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72096
Return-Path: <rdlowrey@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 95581 invoked from network); 3 Feb 2014 18:46:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 18:46:42 -0000
Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.173 as permitted sender)
X-PHP-List-Original-Sender: rdlowrey@gmail.com
X-Host-Fingerprint: 209.85.223.173 mail-ie0-f173.google.com  
Received: from [209.85.223.173] ([209.85.223.173:62339] helo=mail-ie0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AD/2A-35654-114EFE25 for <internals@lists.php.net>; Mon, 03 Feb 2014 13:46:41 -0500
Received: by mail-ie0-f173.google.com with SMTP id e14so6551815iej.4
        for <internals@lists.php.net>; Mon, 03 Feb 2014 10:46:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Hw1Wyvg3RE83LoWKGafwlmeFhlJORHoZFqTTl2+EHKs=;
        b=DhF5+1lV8CinsDZVRi7eARiM7WkC41m0u297syQNfBGoqGa64ErJtqIs7QVUzqK4YI
         vw98MNnBHdnHFTNcBofvfPA4mYJoflI9ZYfjDZXFveRCUflGCFG7/AR0EA0BrWGQBLLa
         sQXYNvDdumbLw1/seea9zpW/XNRZwH4sUYCLOocNDFH9qioMUNX1WgWasZtaUD0GBva7
         d8TzlO8ivc73xyUByxzkvhoP54WEmZoyaKVObAuUh8/+u95hz2JMz+0zB1gib9CeDF41
         4a+/ZazydkeutCIDo41+YASHvZnN7Lv4tR7MkZP2iZxd2vzCqAsqyZGVODBm4RXyPiTm
         t7aA==
MIME-Version: 1.0
X-Received: by 10.50.225.135 with SMTP id rk7mr13172115igc.49.1391453199041;
 Mon, 03 Feb 2014 10:46:39 -0800 (PST)
Received: by 10.50.29.140 with HTTP; Mon, 3 Feb 2014 10:46:38 -0800 (PST)
In-Reply-To: <CAEZPtU7Euu1mQiJ-2n8r9hQjt9ShqRaiQAouP=FSFeV9OVdjwA@mail.gmail.com>
References: <CAH8MpnnmKt2byQU8DcWetnK6W7GB9HuF3srea-ECwQ4RRe1SWQ@mail.gmail.com>
	<CAEZPtU7Euu1mQiJ-2n8r9hQjt9ShqRaiQAouP=FSFeV9OVdjwA@mail.gmail.com>
Date: Mon, 3 Feb 2014 13:46:38 -0500
Message-ID: <CAH8Mpnnu0BqRmb1PmGjQLTWYA0mtGkJdniDbGbD1Nn+Fn30JZw@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=f46d04289de3a68b6004f184f1c0
Subject: Re: [PHP-DEV] Windows Peer Verification
From: rdlowrey@gmail.com (Daniel Lowrey)

--f46d04289de3a68b6004f184f1c0
Content-Type: text/plain; charset=ISO-8859-1

On Mon, Feb 3, 2014 at 1:25 PM, Pierre Joye <pierre.php@gmail.com> wrote:

>> Please define everywhere else. Last time I checked OpenSsl does not
>> support WIndows CA store. One has to fetch the binary cert from the
>> store and parse it using Openssl.

Sorry, I was unclear. It works out of the box in Mac and the *nix distros
where I tested. OpenSSL stopped shipping their own CA file long ago and
distros generally synthesize the location of certs with  OpenSSL compile
time. The Windows cert store uses a different format that can be converted
to the PEM format OpenSSL requires, but for reasons mentioned in my
original mail this is not really an ideal solution.

>> In sane distros

> Just because OpenSsl is not used does not mean it is insane, at some
> point I could even think the contrary :)

Again, apologies for being unclear. By "sane" I simply meant that distros
keep their certs up-to-date and the environment variables available to
OpenSSL at compile time reflect the location where the OS stores these
certs. A distro handing out openssl binaries without these cert locations
would be what I classify as "not sane." I'm not trying to imply Windows
inferiority; only difference. The lack of clarity is my fault.


>> However, windows uses a different certificate format which first requires
>> conversion to .PEM for use with OpenSSL libs.

> Right, except with projects like curl, they provide SSL backend using
> the native Windows SSL APIs. Sadly it cannot be used in parallel.

Absolutely. And this is the point of my mail: how best to allow the most
secure and user-friendly experience for users implementing the native PHP
API which, for better or worse, relies on the open PEM format used by
openssl. For users who get their PHP as part of distro this largely is a
non-issue because it's handled by the OS. Again, I'm not claiming Windows
inferiority; only difference. With Mac/*nix we don't have to worry about it
because they're (currently) supporting OpenSSL-backed solutions. There's no
additional step required there.

> Again, please keep in mind that it is not a windows only problem. This
> issue has to be addressed on all supported platforms.

Once more, I will make sacrifices to the deity of Windows retribution for
the unintentional pejorative tone of my original mail :)

The only real question here is this:

***** Should we ship a CA file? *****

Personally, I say no. If people are going to programmatically use encrypted
stream transfers they need to at the very least understand the basics of
the CA system. We shouldn't subsidize insecurity, and it's trivially easy
to procure a CA file.

--f46d04289de3a68b6004f184f1c0--