To those interested, a patch enabling TLS peer verification by default for
client streams is now available here:
https://wiki.php.net/rfc/tls-peer-verification
Please note that this RFC is limited to client peer verification. I do
have other outstanding ext/openssl PRs (atomic, tested) that do not merit
RFC discussion (but are no less important). Each of these PRs addresses
existing TLS security issues without breaking BC:
Honor Cipher Order
https://github.com/php/php-src/pull/493
Client-Initiated Renegotiation DoS
https://github.com/php/php-src/pull/486
TLSv1.1 and TLSv1.2 Support
https://github.com/php/php-src/pull/483
To those interested, a patch enabling TLS peer verification by default for
client streams is now available here:
I just wanted to say thank you for taking the time to do put this RFC and
pull request together. It makes me happy to see movement in this direction
— I think it goes without saying how desperately we need improvements and
consistency in this area. As mentioned in the RFC, having global defaults
in the ini will be perfect for distribution package maintainers.
Thanks again,
--
Evan Coury