The following solution was implemented : https://github.com/php/php-src/commit/517f800277a11d6ce05b0e1afcd0e76dc544d452
Pierrick On 18 December 2012 23:35, Pierrick Charron <[email protected]> wrote: > Hi all, > > About 2 month ago, we had a discussion on this list about the fact > that CURLOPT_SSL_VERIFYHOST was most of the time used with a Boolean > value (true) instead of int values (0,1 or 2). This bad usage was > leading to some security issues. The result of this discussion was to > trigger a notice if someone tried to set the CURLOPT_SSL_VERIFYHOST to > true (boolean), and was committed to >= 5.4 > > On November 20th, Daniel (the author of libcurl) released cURL 7.28.1 > which no longer support the 1 value for CURLOPT_SSL_VERIFYHOST. This > change introduced some bugs as #63795 (you'll find the cause of the > bug in the comments). > > To fix this bug, and to minimize as much as possible the impact of > this change, I'm proposing to do the following changes in the libcurl > extension for future releases : > > When using libcurl < 7.28.1, if someone try to set > CURLOPT_SSL_VERIFYHOST to 1 (or true), set the value to 1, but trigger > a notice to inform that this value is deprecated. > > When using libcurl >= 7.28.1 if someone try to set > CURLOPT_SSL_VERIFYHOST to 1 (or true), set CURLOPT_SSL_VERIFYHOST to > 2, trigger a notice to inform the user that this value is no longer > supported as of libcurl 7.28.1 but keep returning true. > > Also, as stated by Remy in bug #63795, when PHP is built with > curl-wrappers, the context option "curl_verify_ssl_host" sets > CURLOPT_SSL_VERIFYHOST to 1. I would like to modify this code to set > CURLOPT_SSL_VERIFYHOST to 2. Since curl-wrappers is still marked as > experimental I don't think this will cause a lot of troubles. > > If you have any comment, please do, otherwise, I'll commit those > changes on Friday to all branches (including 5.3). > > Thanks > Pierrick -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
