After some discussion in #php.pecl, the efforts of php.net's crack research
team (a.k.a. Joe Watkins) and a suggestion by Rasmus it was determined that
the original peer verification vote should be discarded in favor of
clarification.
The patch has been improved to obviate any need for manual CA management by
PHP itself. The new implementation takes advantage of OS and distro-managed
CA stores. As a result, users with a distro-packaged PHP version will see
most existing code work without any modifications while retaining control
of the implementation on a case-by-case basis.
This is an ideal solution as it preserves BC for many (likely most)
scenarios while simultaneously improving security. The changes are clearly
marked and summarized in the updated RFC. The original vote has been closed
and the new vote consists of only two options: Yes or No.
Thanks for your time and apologies to those tasked with duplicating their
original voting efforts.
The patch has been improved to obviate any need for manual CA management by
PHP itself. The new implementation takes advantage of OS and distro-managed
CA stores. As a result, users with a distro-packaged PHP version will see
most existing code work without any modifications while retaining control
of the implementation on a case-by-case basis.
I'm unclear on how this change affects Windows installations, and I
suspect it's not in a good way (though I could be missing something).
The PHP WPI package provided and supported by Microsoft for IIS 7+
integration (which installs core PHP 5.4 -- 32-bit at this time -- and
configures FastCGI) comes with OpenSSL enabled but doesn't seem to
come with a trusted CA bundle that I can detect. If a PHP 5.6 WPI
comes out with no new frills, there will be problems.
The Windows CAPI store exists, of course, but I don't expect PHP is
going to start be using clunkers like
http://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-system-certificate-store
(right?). Or, if so, can we vouch for the cross-platform performance?
-- Sandy