rfc:tls-peer-verification

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
rfc:tls-peer-verification [2013/12/18 03:01] – [Vote] rdlowreyrfc:tls-peer-verification [2017/09/22 13:28] (current) – external edit 127.0.0.1
Line 4: Line 4:
   * Date: 2013-10-15   * Date: 2013-10-15
   * Author: Daniel Lowrey, rdlowrey@gmail.com   * Author: Daniel Lowrey, rdlowrey@gmail.com
-  * Status: Voting+  * Status: Implemented (PHP-5.6)
   * First Published at: http://wiki.php.net/rfc/tls-peer-verification   * First Published at: http://wiki.php.net/rfc/tls-peer-verification
   * Major Revision (v0.1 -> v0.2): 2013-12-17   * Major Revision (v0.1 -> v0.2): 2013-12-17
Line 59: Line 59:
 //NEW ADDITIONS:// //NEW ADDITIONS://
  
-  * If none of the above methods are used to specify the necessary CA file/path info PHP will fall back to the defaults built into OpenSSL at compile time. This means that those using a distro-supplied can expect existing code to "just work" for most cases.+  * If none of the above methods are used to specify the necessary CA file/path info PHP will fall back to the defaults built into OpenSSL at compile time. This means that those using a distro-supplied PHP version can expect existing code to "just work" for most cases.
   * Only if the OpenSSL defaults cannot be loaded and no manual user assignments exist via the .ini directives or stream context options is an ''E_WARNING'' triggered due to insufficient CA settings. Manually disabling peer verification at call time can (as in the original proposal) prevent such failures.   * Only if the OpenSSL defaults cannot be loaded and no manual user assignments exist via the .ini directives or stream context options is an ''E_WARNING'' triggered due to insufficient CA settings. Manually disabling peer verification at call time can (as in the original proposal) prevent such failures.
  
Line 171: Line 171:
 ===== Open Issues ===== ===== Open Issues =====
  
-  * Should PHP bundle a default CA File with the distribution?+None.
  
 ===== Proposed Voting Choices ===== ===== Proposed Voting Choices =====
  
   * Should secure-by-default client peer verification be implemented for 5.6?   * Should secure-by-default client peer verification be implemented for 5.6?
-  * If secure-by-default verification is implemented, should PHP bundle a default CA file with the distribution and pre-populate the ''openssl.cafile'' php.ini directive to ensure maximum backward compatibility with existing code? 
  
-===== Patches and Tests ===== +===== Implementation =====
- +
-The patch linked below is intended as final (subject to any changes instigated during the RFC process):+
  
   * https://github.com/php/php-src/pull/494   * https://github.com/php/php-src/pull/494
-  * (update 2013-12-17) https://github.com/rdlowrey/php-src/commit/ae1a0479d562b2baed191a28ccd1b044db0c9d40 
-===== Implementation ===== 
- 
-TBD 
  
 ===== References ===== ===== References =====
Line 198: Line 191:
 Voting closes Dec. 31 ... happy holidays! Voting closes Dec. 31 ... happy holidays!
  
-<doodle title="Should PHP verify client peers by default in PHP 5.6?" auth="rdlowrey" voteType="single" closed="false">+<doodle title="Should PHP verify client peers by default in PHP 5.6?" auth="rdlowrey" voteType="single" closed="true">
    * Yes    * Yes
    * No    * No
rfc/tls-peer-verification.1387335660.txt.gz · Last modified: 2017/09/22 13:28 (external edit)

Page Tools