Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72516
Return-Path: <are.you.winning@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 26845 invoked from network); 12 Feb 2014 13:08:45 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Feb 2014 13:08:45 -0000
Authentication-Results: pb1.pair.com smtp.mail=are.you.winning@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=are.you.winning@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.172 as permitted sender)
X-PHP-List-Original-Sender: are.you.winning@gmail.com
X-Host-Fingerprint: 209.85.216.172 mail-qc0-f172.google.com  
Received: from [209.85.216.172] ([209.85.216.172:37965] helo=mail-qc0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7C/81-19387-B527BF25 for <internals@lists.php.net>; Wed, 12 Feb 2014 08:08:44 -0500
Received: by mail-qc0-f172.google.com with SMTP id c9so15443259qcz.31
        for <internals@lists.php.net>; Wed, 12 Feb 2014 05:08:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc:content-type;
        bh=JWJIQAqRVWxnZSUlzMZ1eJlbPc6zLzjZWH2gmJ35JKA=;
        b=uXM5AWsk6Ljq/o5O5YwWXsEDUCcQwnNQ0ny3yCq5CqM6WdpeYlalH6poyZX8gINqSX
         p7t/pTOnyaLUV0R8jzOjAoFQefcatKfU/z+sQw1Uskn/grwvYylFnQ/w152zyZiaYjQK
         G3IlsEz62Ok8cgdaj3LNQrTS9pxExH00r9t5dDQHXj1WJnapjJDSgl77+KEz8ByzNN9Z
         7LYtLpGlNrb6WzURSc4dru5WPemneDZzHQ+wUFC0cdfLIEbEOL2jYb7JI5DAbVOkuwfx
         4I5Gerqpqvg9FbvRVEa/O+hCVq+G7f2tiJEUB4nkFTih0D2IMSC04NBH0vfDMTgN63io
         DWOA==
MIME-Version: 1.0
X-Received: by 10.224.115.143 with SMTP id i15mr15742577qaq.57.1392210521369;
 Wed, 12 Feb 2014 05:08:41 -0800 (PST)
Sender: are.you.winning@gmail.com
Received: by 10.229.240.193 with HTTP; Wed, 12 Feb 2014 05:08:41 -0800 (PST)
In-Reply-To: <CAH8MpnmorTAjYoPG_ApCYSV0QYJiDu79Hx7O9i76XYomO6_hGg@mail.gmail.com>
References: <CAH8Mpn=dhpKEM_fU=zq0JRx9G0mrD_E6duAu=Sz-6++Qt-TO_g@mail.gmail.com>
	<52FA932D.5050504@sugarcrm.com>
	<CAH8MpnnC6-gR5REPciKM4nXkXtquP3q5Z00d+WkA+Kz5vak4ZA@mail.gmail.com>
	<CALwr1GnO+j2zDk+ykgF4E5O=quSOUPiZCcBbpmaqbH34j6xU0g@mail.gmail.com>
	<CAH8MpnmorTAjYoPG_ApCYSV0QYJiDu79Hx7O9i76XYomO6_hGg@mail.gmail.com>
Date: Wed, 12 Feb 2014 13:08:41 +0000
X-Google-Sender-Auth: c8_3Tb6IWCz_8GP6Tyn7WARvU2o
Message-ID: <CAGAGxbZw2xRM2K1KWA_q1WGJ7qS0Wsd-JjU9M7G1M6A213gzsg@mail.gmail.com>
To: Daniel Lowrey <rdlowrey@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] [VOTE] Improved TLS Defaults RFC
From: daverandom@php.net (Chris Wright)

On 12 February 2014 12:50, Daniel Lowrey <rdlowrey@gmail.com> wrote:
> 1. Infinite descent is not an issue because, if unspecified, OpenSSL will
> default to a verify depth of 9 as documented here:
>
> https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

I would suggest that we set a default of 9 at the PHP level. I would
prefer not to rely on OpenSSL always having a sane default. What with
the docs (for OpenSSL) being updated so infrequently and people just
generally configuring systems in idiotic ways it makes sense to me to
accept OpenSSL's stated default value, but to impose it manually
ourselves.

I personally feel that more control we have over these settings the
better, I'd rather not rely on any 3rd party doing anything sensibly.

Thanks, Chris