On Wed, Dec 19, 2012 at 5:35 AM, Pierrick Charron <pierr...@webstart.fr>wrote:
> Hi all, > > About 2 month ago, we had a discussion on this list about the fact > that CURLOPT_SSL_VERIFYHOST was most of the time used with a Boolean > value (true) instead of int values (0,1 or 2). This bad usage was > leading to some security issues. The result of this discussion was to > trigger a notice if someone tried to set the CURLOPT_SSL_VERIFYHOST to > true (boolean), and was committed to >= 5.4 > > On November 20th, Daniel (the author of libcurl) released cURL 7.28.1 > which no longer support the 1 value for CURLOPT_SSL_VERIFYHOST. This > change introduced some bugs as #63795 (you'll find the cause of the > bug in the comments). > > To fix this bug, and to minimize as much as possible the impact of > this change, I'm proposing to do the following changes in the libcurl > extension for future releases : > > When using libcurl < 7.28.1, if someone try to set > CURLOPT_SSL_VERIFYHOST to 1 (or true), set the value to 1, but trigger > a notice to inform that this value is deprecated. > I dont know if it is the good way to deal with that. Does the PHP user have to be aware that the underlying libcurl is gonna change ? The deprecated message may let him think that in the next *PHP* version, the value will have disapeared, but in fact, its in the next *libcurl* version, regardless PHP version. > > When using libcurl >= 7.28.1 if someone try to set > CURLOPT_SSL_VERIFYHOST to 1 (or true), set CURLOPT_SSL_VERIFYHOST to > 2, trigger a notice to inform the user that this value is no longer > supported as of libcurl 7.28.1 but keep returning true. > Ok > > Also, as stated by Remy in bug #63795, when PHP is built with > curl-wrappers, the context option "curl_verify_ssl_host" sets > CURLOPT_SSL_VERIFYHOST to 1. I would like to modify this code to set > CURLOPT_SSL_VERIFYHOST to 2. Since curl-wrappers is still marked as > experimental I don't think this will cause a lot of troubles. > > If you have any comment, please do, otherwise, I'll commit those > changes on Friday to all branches (including 5.3). Julien.P