Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72105 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 9710 invoked from network); 3 Feb 2014 19:38:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 19:38:13 -0000 Authentication-Results: pb1.pair.com header.from=swhitemanlistens-software@cypressintegrated.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=swhitemanlistens-software@cypressintegrated.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain cypressintegrated.com designates 173.1.104.101 as permitted sender) X-PHP-List-Original-Sender: swhitemanlistens-software@cypressintegrated.com X-Host-Fingerprint: 173.1.104.101 rproxy2-b-iv.figureone.com Received: from [173.1.104.101] ([173.1.104.101:65518] helo=rproxy2-b-iv.figureone.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EC/3D-35654-320FFE25 for ; Mon, 03 Feb 2014 14:38:12 -0500 Received: from bad.dop.co ([108.12.130.219]) by rproxy2-b-iv.figureone.com (Brand New Heavy v1.0) with ASMTP id PVP37307 for ; Mon, 03 Feb 2014 11:38:07 -0800 Date: Mon, 3 Feb 2014 14:37:49 -0500 Reply-To: Sanford Whiteman X-Priority: 3 (Normal) Message-ID: <371020024.20140203143749@cypressintegrated.com> To: Daniel Lowrey In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: Windows Peer Verification From: swhitemanlistens-software@cypressintegrated.com (Sanford Whiteman) > I'm totally in agreement with everything you've said. There is no "learning > curve." The only thing required for a secure transfer in this case is the > knowledge that: > (1) You need a CA to verify that the other party is who they say they are > (2) As such, you have to tell PHP about the CA file(s) you want it to use. No. The other "only thing" required for a secure transfer on Windows, if you do not ship a working Windows installer, is that the user (3) have permission to manage the server's PHP installation For emphasis: we are talking about the PHP developer. I don't know how you can assume that the PHP dev who is authoring -- let alone simply rolling out -- a WordPress plug-in can perform this step. Perhaps "learning curve" is the wrong term. How about "newly required server privileges"? Of course, they may be able to specify a PEM in their home directory. Which means they have to change the code they are rolling out to add the extra arguments. Which means that third-party code can no longer be updated automatically. > There is nothing confusing or difficult about setting a single php.ini > value "openssl.cafile = C:\path\to\cacert.pem" > The whole point of the recently accepted RFC and the new RFC on TLS > security is to eliminate the need for users to understand TLS to use these > features. The intent of turning on peer verification by default is to enforce better security at the possible (in fact, previously documented) cost of users having to understand, if not TLS itself, how to manage a trusted CA bundle, and having permission to do so. Please, let's not pretend that these measures are "eliminating" any burdens previously placed on the user -- except the burden that follows accidentally compromising your system due to forged certificates, of course! -- S.