Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72144 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71252 invoked from network); 3 Feb 2014 22:19:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 22:19:08 -0000 Authentication-Results: pb1.pair.com header.from=swhitemanlistens-software@cypressintegrated.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=swhitemanlistens-software@cypressintegrated.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain cypressintegrated.com designates 173.1.104.101 as permitted sender) X-PHP-List-Original-Sender: swhitemanlistens-software@cypressintegrated.com X-Host-Fingerprint: 173.1.104.101 rproxy2-b-iv.figureone.com Received: from [173.1.104.101] ([173.1.104.101:52327] helo=rproxy2-b-iv.figureone.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2F/FA-35654-AD510F25 for ; Mon, 03 Feb 2014 17:19:07 -0500 Received: from bad.dop.co ([108.12.130.219]) by rproxy2-b-iv.figureone.com (Brand New Heavy v1.0) with ASMTP id PYW77301 for ; Mon, 03 Feb 2014 14:19:01 -0800 Date: Mon, 3 Feb 2014 17:17:26 -0500 Reply-To: Sanford Whiteman X-Priority: 3 (Normal) Message-ID: <10337340.20140203171726@cypressintegrated.com> To: Daniel Lowrey In-Reply-To: References: <344075933.20140203143339@figureone.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Resent-From: swhitemanlistens-software@cypressintegrated.com Subject: Re: [PHP-DEV] Re: Windows Peer Verification From: swhitemanlistens-software@cypressintegrated.com (Sanford Whiteman) > ini_set('openssl.cafile', 'C:\omg\this\is\too\hard.pem'); OK, users simply add ini_set on all their pages. Why bother playacting about this being worth discussing if you actually think it's \just\so\easy\for\any\user? Why start this thread? >> Or else they need to change all outbound stream >> code, which in many cases isn't even theirs to safely change. > Then I'm using a garbage library and need to migrate *immediately*. Yay! Let's tell people to "migrate immediately" from a WordPress plugin but also act like we didn't affect their PHP user experience in any way. Not even some negative impact for a net good, nope, all positive impact. I think you need to get more experience with the range of third-party code that doesn't turn on verify_peer. And frankly it is PHP's fault that most code doesn't do so, since PHP was insecure by default and never threw an error in the past. Heaping blame on library authors is absurd. If someone is writing to the Twitter API, they might not know anything about CAs, figuring, not entirely unreasonably, that making an outbound connection to https://api.twitter.com would be as verified as it would be from a browser. Furthermore, even if they did have an inkling that their connections weren't best-practices secureit is ridiculously cumbersome to try to bundle a PEM with a lightweight CMS plugin. > This is the entire point of warnings: to tell you you're doing > something wrong. Suggesting this is somehow harmful is seriously > negligent. Let's not pretend like the doctor setting a cast on a > broken arm is the problem; the broken arm is the problem. Of course it's harmful to spew warnings into a log when you damn well you could have worked harder (i.e. bundling the trusted CA bundle) to not have that happen. -- S.