rfc:tls-peer-verification

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
rfc:tls-peer-verification [2013/12/18 03:31] – [Open Issues] Removed CA file inclusion issue rdlowreyrfc:tls-peer-verification [2014/01/28 21:18] – Added link to merged implementation rdlowrey
Line 4: Line 4:
   * Date: 2013-10-15   * Date: 2013-10-15
   * Author: Daniel Lowrey, rdlowrey@gmail.com   * Author: Daniel Lowrey, rdlowrey@gmail.com
-  * Status: Voting+  * Status: Implemented (PHP-5.6)
   * First Published at: http://wiki.php.net/rfc/tls-peer-verification   * First Published at: http://wiki.php.net/rfc/tls-peer-verification
   * Major Revision (v0.1 -> v0.2): 2013-12-17   * Major Revision (v0.1 -> v0.2): 2013-12-17
Line 59: Line 59:
 //NEW ADDITIONS:// //NEW ADDITIONS://
  
-  * If none of the above methods are used to specify the necessary CA file/path info PHP will fall back to the defaults built into OpenSSL at compile time. This means that those using a distro-supplied can expect existing code to "just work" for most cases.+  * If none of the above methods are used to specify the necessary CA file/path info PHP will fall back to the defaults built into OpenSSL at compile time. This means that those using a distro-supplied PHP version can expect existing code to "just work" for most cases.
   * Only if the OpenSSL defaults cannot be loaded and no manual user assignments exist via the .ini directives or stream context options is an ''E_WARNING'' triggered due to insufficient CA settings. Manually disabling peer verification at call time can (as in the original proposal) prevent such failures.   * Only if the OpenSSL defaults cannot be loaded and no manual user assignments exist via the .ini directives or stream context options is an ''E_WARNING'' triggered due to insufficient CA settings. Manually disabling peer verification at call time can (as in the original proposal) prevent such failures.
  
Line 176: Line 176:
  
   * Should secure-by-default client peer verification be implemented for 5.6?   * Should secure-by-default client peer verification be implemented for 5.6?
-  * If secure-by-default verification is implemented, should PHP bundle a default CA file with the distribution and pre-populate the ''openssl.cafile'' php.ini directive to ensure maximum backward compatibility with existing code? 
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
Line 186: Line 185:
 ===== Implementation ===== ===== Implementation =====
  
-TBD+  * https://github.com/php/php-src/commit/6edc84fcdfc8e76507bc73122310fff4b6170b88
  
 ===== References ===== ===== References =====
Line 198: Line 197:
 Voting closes Dec. 31 ... happy holidays! Voting closes Dec. 31 ... happy holidays!
  
-<doodle title="Should PHP verify client peers by default in PHP 5.6?" auth="rdlowrey" voteType="single" closed="false">+<doodle title="Should PHP verify client peers by default in PHP 5.6?" auth="rdlowrey" voteType="single" closed="true">
    * Yes    * Yes
    * No    * No
rfc/tls-peer-verification.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1

Page Tools