Hi!
> Please throw your votes at the TLS Peer Verification proposal:
>
> https://wiki.php.net/rfc/tls-peer-verification
>
> Voting closes Dec. 24 ... Happy Holidays!
I'm not sure what to vote for here, because I like the ideas in the
patch about having a setting for CAfile, which in many distros would by
default enable peer verification and thus make you more secure, but I
don't like the fact that when you compile PHP, you get essentially a
configuration that can not use https at all, since you have no CA file
configured.
I'd like it more if there was an option where if you set cafile or
capath, you get automatic peer verification, but if you don't, you do
not have it. But it may be against the spirit of the RFC?
I know you propose a warning in this case, but judging from the story of
the datetime timezone warning, people would still ignore it. Also
warning is not much help if for some reason you don't know where to get
a cert file. And there's no way to disable peer verification on ini level.
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227