Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72754 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61759 invoked from network); 22 Feb 2014 00:58:49 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Feb 2014 00:58:49 -0000 Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.178 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.213.178 mail-ig0-f178.google.com Received: from [209.85.213.178] ([209.85.213.178:54245] helo=mail-ig0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5F/C2-46163-746F7035 for ; Fri, 21 Feb 2014 19:58:47 -0500 Received: by mail-ig0-f178.google.com with SMTP id h18so742534igc.5 for ; Fri, 21 Feb 2014 16:58:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=I43k3cOAg8s30F1qxVYhI6rOsZWBKnxnb6+CmXcCD/I=; b=f5s2KD8FnK7Y1Z8P5Pl0mCf5QGa4emgHtHu6QNaM0wf1Mf/tQ0kBwG3/S+lpcbVNzX DLQV56RVPaYmDW8t8maC4mMnYoqK7QTpKBCcPDD29dadpX/6WO9RkHwTnCgCQNdaG6m8 4aFI0Y6mMYNfD9h4ei3o1rdUTBGBd0hD+x9iEWteMVevUckMugX2iU5dz5+3Ki7+pgj1 IHXvXe7HL+TgNA20WKXzardnYw95c262wW8HPqslkWmjrjEYgRB9aHAp1tRTc28YQHwR 4zkGYHOTX8ddNPUkUCh0Byvx/DFBRX/oRKalnhHQEtrKhmrtcNntlpymCG1yIdXZrqBB txSw== MIME-Version: 1.0 X-Received: by 10.42.197.134 with SMTP id ek6mr4860484icb.97.1393030724801; Fri, 21 Feb 2014 16:58:44 -0800 (PST) Received: by 10.50.34.131 with HTTP; Fri, 21 Feb 2014 16:58:44 -0800 (PST) In-Reply-To: References: Date: Fri, 21 Feb 2014 19:58:44 -0500 Message-ID: To: Chris Wright Cc: Ferenc Kovacs , Pierre Joye , =?ISO-8859-1?Q?P=E1draic_Brady?= , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=20cf303ea61a835da104f2f43d90 Subject: Re: [PHP-DEV] Windows Peer Verification From: rdlowrey@gmail.com (Daniel Lowrey) --20cf303ea61a835da104f2f43d90 Content-Type: text/plain; charset=ISO-8859-1 On Fri, Feb 21, 2014 at 7:31 PM, Chris Wright wrote: > Following on from this thread and Daniel's excellent work on TLS > improvements, and liaising heavily with Daniel off-list, I have > created a PR [1] of some work I have done to get peer verification > working with Windows native certificate store. > > This is by far and away the most preferable option as it gives "out of > the box" support for peer verification by default on Windows, and does > not require any additional certificate bundles or configuration. It > also allows us to take advantage of trust updates rolled out via MS > update systems. > > The implementation is complete in that it supports all existing > features, although it needs a little polishing and some edge cases > covering before it can be merged. The only definite known issue at the > time of writing is that the method for fetching the CN from the > certificate incorrectly assumes that the returned data will always be > UTF-8 encoded, a solution for this is planned and will be implemented > in the next day or two. > > I am by no means an expert on the subject matter here in any respect, > so I encourage ruthless code review. > > Note that there are no new features here, it is simply looking to fill > in the gaps in the recent work by providing consistency on Windows. > > [1] https://github.com/php/php-src/pull/601 > Count me as a big +1 on this. Delegating out to the OS is the only good solution and managing/distributing our own CA store is asking for trouble. That said, I don't have any familiarity with the windows APIs in this area. I'll be testing, poking and prodding the code in the next couple of days, though. --20cf303ea61a835da104f2f43d90--