On Thu, Sep 19, 2013 at 8:33 AM, Ángel González <keis...@gmail.com> wrote:
> On 16/09/13 15:58, Daniel Lowrey wrote: > >> More generally, PHP's stream encryption aspects are quite poorly >> documented. For example, https:// streams disable peer verification by >> default. While I understand that this is necessary to provide the easiest >> possible user experience for things like `file_get_contents(" >> https://somesite.com")`, it's also horribly insecure. 99% of people using >> tools like this won't know anything about this "feature" and won't realize >> that their stream transfers are totally vulnerable to Man-in-the-Middle >> attacks by default. >> > Count me as one of those that didn't know https:// streams didn't verify > certificates. :) > *I consider this a bug* I understand that it's easier to code not > verifying the > peer, and the hostname may not be available when you are stacking ssl over > a stream. > But file_get_contents("https://...**") is *precisely* the case that > should work right > out of the box. To be practical, verifying certificates requires an up-to-date CA bundle to be shipped with PHP; perhaps this is a simple thing to do, I'm not sure. This is an oft seen scenario for cURL; the developer would see the certificate issue, search online and continue with `CURLOPT_VERIFY_PEER => 0`. That said, at least cURL is configured to check the certificate by default. > > > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- -- Tjerk