Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72517
Return-Path: <rdlowrey@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 28492 invoked from network); 12 Feb 2014 13:19:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Feb 2014 13:19:08 -0000
Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.181 as permitted sender)
X-PHP-List-Original-Sender: rdlowrey@gmail.com
X-Host-Fingerprint: 209.85.213.181 mail-ig0-f181.google.com  
Received: from [209.85.213.181] ([209.85.213.181:38571] helo=mail-ig0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 36/E1-19387-BC47BF25 for <internals@lists.php.net>; Wed, 12 Feb 2014 08:19:07 -0500
Received: by mail-ig0-f181.google.com with SMTP id j1so11153072iga.2
        for <internals@lists.php.net>; Wed, 12 Feb 2014 05:19:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=8GzGEVb+2kMGtur72+9xbrFXo4QrsUN6X0hgaACz0iU=;
        b=jqPtoL2ihHFb64wvtgP9qw2579i9aRDDLn/UQJ9BHhvMooyNzh/Qaa8GavCsV3i9q7
         nx5QvtiWqRN3qazbA99J7pzBBzrJuiOHMOg1WdebRlw9Ih9Vo23kuqIv0IrVQpvNWi5A
         Gw5Rx5kEg2w7uZ1COKhOtCkSyezBRJks7N1VvXQz5QxlXMnQvpEnyhOClv4Bf7WWnmNR
         XVzQcqmE5/3ZxpEr3FvAmh9b7H0CAf9L1tMLWxASTqcewOneCWo37wGoXd+W2h6sMbvi
         dV2zkaZ5u8E+2JFwAnvjmoMWbm+Bk0E+DnIldFpej30ZA/Xv1lev7iFoZ5RucdclQkSm
         8dPA==
MIME-Version: 1.0
X-Received: by 10.42.62.143 with SMTP id y15mr28445532ich.14.1392211144657;
 Wed, 12 Feb 2014 05:19:04 -0800 (PST)
Received: by 10.50.34.131 with HTTP; Wed, 12 Feb 2014 05:19:04 -0800 (PST)
In-Reply-To: <CAGAGxbZw2xRM2K1KWA_q1WGJ7qS0Wsd-JjU9M7G1M6A213gzsg@mail.gmail.com>
References: <CAH8Mpn=dhpKEM_fU=zq0JRx9G0mrD_E6duAu=Sz-6++Qt-TO_g@mail.gmail.com>
	<52FA932D.5050504@sugarcrm.com>
	<CAH8MpnnC6-gR5REPciKM4nXkXtquP3q5Z00d+WkA+Kz5vak4ZA@mail.gmail.com>
	<CALwr1GnO+j2zDk+ykgF4E5O=quSOUPiZCcBbpmaqbH34j6xU0g@mail.gmail.com>
	<CAH8MpnmorTAjYoPG_ApCYSV0QYJiDu79Hx7O9i76XYomO6_hGg@mail.gmail.com>
	<CAGAGxbZw2xRM2K1KWA_q1WGJ7qS0Wsd-JjU9M7G1M6A213gzsg@mail.gmail.com>
Date: Wed, 12 Feb 2014 08:19:04 -0500
Message-ID: <CAH8MpnknU7G_iUERUYtvMeqXNA1XJPF5Edkj+WNFOUmESy=_eQ@mail.gmail.com>
To: Chris Wright <daverandom@php.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=20cf30223c91bad2b204f2356ae2
Subject: Re: [PHP-DEV] [VOTE] Improved TLS Defaults RFC
From: rdlowrey@gmail.com (Daniel Lowrey)

--20cf30223c91bad2b204f2356ae2
Content-Type: text/plain; charset=ISO-8859-1

On Wed, Feb 12, 2014 at 8:08 AM, Chris Wright <daverandom@php.net> wrote:

> On 12 February 2014 12:50, Daniel Lowrey <rdlowrey@gmail.com> wrote:
> > 1. Infinite descent is not an issue because, if unspecified, OpenSSL will
> > default to a verify depth of 9 as documented here:
> >
> > https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
>
> I would suggest that we set a default of 9 at the PHP level. I would
> prefer not to rely on OpenSSL always having a sane default. What with
> the docs (for OpenSSL) being updated so infrequently and people just
> generally configuring systems in idiotic ways it makes sense to me to
> accept OpenSSL's stated default value, but to impose it manually
> ourselves.
>
> I personally feel that more control we have over these settings the
> better, I'd rather not rely on any 3rd party doing anything sensibly.
>
> Thanks, Chris
>

Fair enough. Do we see value in exposing an
OPENSSL_DEFAULT_STREAM_VERIFY_DEPTH constant to userland?

--20cf30223c91bad2b204f2356ae2--