On 19 September 2013 10:52, Daniel Lowrey <rdlow...@gmail.com> wrote:
>> *I consider this a bug* I understand that it's easier to code not verifying
>> the
>> peer, and the hostname may not be available when you are stacking ssl over a
>> stream.
>> But file_get_contents("https://...";) is *precisely* the case that should
>> work right
>> out of the box.
>
> ^^ This.
>
> Before I can fully/cleanly implement these changes we need to decide
> if PHP wants to move to a secure-by-default model for streams
> utilizing the built in encryption wrappers. Thoughts?
I think we should do this in 5.6. cURL has behaved this way for
literally years at this point (verify by default, provide a switch to
disable verification) and users seem to do just fine there. The much
improved security story outweighs the (admittedly present) BC issues
for mine.
As for the CA bundle side of things, I wonder if this is one of those
rare times where an ini setting might make sense, as opposed to actual
bundling — that would allow distros to point to their packaged bundles
without needing to patch php-src, and we could provide from-source
installation instructions easily enough to point to common distro
locations and the cURL download for users on more exotic OSes (like
Windows).
Adam
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
