rfc:tls-peer-verification

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
rfc:tls-peer-verification [2013/12/18 03:31] – [Open Issues] Removed CA file inclusion issue rdlowreyrfc:tls-peer-verification [2014/02/21 00:55] rdlowrey
Line 4: Line 4:
   * Date: 2013-10-15   * Date: 2013-10-15
   * Author: Daniel Lowrey, rdlowrey@gmail.com   * Author: Daniel Lowrey, rdlowrey@gmail.com
-  * Status: Voting+  * Status: Implemented (PHP-5.6)
   * First Published at: http://wiki.php.net/rfc/tls-peer-verification   * First Published at: http://wiki.php.net/rfc/tls-peer-verification
   * Major Revision (v0.1 -> v0.2): 2013-12-17   * Major Revision (v0.1 -> v0.2): 2013-12-17
Line 59: Line 59:
 //NEW ADDITIONS:// //NEW ADDITIONS://
  
-  * If none of the above methods are used to specify the necessary CA file/path info PHP will fall back to the defaults built into OpenSSL at compile time. This means that those using a distro-supplied can expect existing code to "just work" for most cases.+  * If none of the above methods are used to specify the necessary CA file/path info PHP will fall back to the defaults built into OpenSSL at compile time. This means that those using a distro-supplied PHP version can expect existing code to "just work" for most cases.
   * Only if the OpenSSL defaults cannot be loaded and no manual user assignments exist via the .ini directives or stream context options is an ''E_WARNING'' triggered due to insufficient CA settings. Manually disabling peer verification at call time can (as in the original proposal) prevent such failures.   * Only if the OpenSSL defaults cannot be loaded and no manual user assignments exist via the .ini directives or stream context options is an ''E_WARNING'' triggered due to insufficient CA settings. Manually disabling peer verification at call time can (as in the original proposal) prevent such failures.
  
Line 176: Line 176:
  
   * Should secure-by-default client peer verification be implemented for 5.6?   * Should secure-by-default client peer verification be implemented for 5.6?
-  * If secure-by-default verification is implemented, should PHP bundle a default CA file with the distribution and pre-populate the ''openssl.cafile'' php.ini directive to ensure maximum backward compatibility with existing code? 
  
-===== Patches and Tests ===== +===== Implementation =====
- +
-The patch linked below is intended as final (subject to any changes instigated during the RFC process):+
  
   * https://github.com/php/php-src/pull/494   * https://github.com/php/php-src/pull/494
-  * (update 2013-12-17) https://github.com/rdlowrey/php-src/commit/ae1a0479d562b2baed191a28ccd1b044db0c9d40 
-===== Implementation ===== 
- 
-TBD 
  
 ===== References ===== ===== References =====
Line 198: Line 191:
 Voting closes Dec. 31 ... happy holidays! Voting closes Dec. 31 ... happy holidays!
  
-<doodle title="Should PHP verify client peers by default in PHP 5.6?" auth="rdlowrey" voteType="single" closed="false">+<doodle title="Should PHP verify client peers by default in PHP 5.6?" auth="rdlowrey" voteType="single" closed="true">
    * Yes    * Yes
    * No    * No
rfc/tls-peer-verification.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1

Page Tools