Hello, internals!
I have let it idle for a couple of months but it's time to address TLS peer
verification:
https://wiki.php.net/rfc/tls-peer-verification
We essentially have three options in this area:
- Continue with peer verification disabled by default
- Implement the proposed patch but do not bundle a default CA file with
the distribution - Implement the proposed patch and bundle a CA file
In my humble opinion the first option borders on negligence and is not
really an option at all. The second choice at the very least forces users
to explicitly disable peer verification if they wish to allow insecure
transfers (like ext/curl). The third option allows most existing code to
function as-is but may carry additional licensing or distribution
difficulties (I don't really know). I would personally vote for option 2
(if I had a vote).
In any case, please share any concerns, questions or comments as I'd prefer
to initiate a vote in the next couple of days. If the patch is implemented
some significant manual updates are in order and I will work to submit
those in the event of the RFC's acceptance.
For those who'd like more information on the problem addressed by this RFC
a good external resource on the subject can be found below: