Re: [VOTE] TLS Peer Verification

From: Date: Tue, 17 Dec 2013 23:42:09 +0000
Subject: Re: [VOTE] TLS Peer Verification
References: 1 2 3 4 5 6 7 8 9 10 11 12 13  Groups: php.internals 
Request: Send a blank email to internals+get-70723@lists.php.net to get a copy of this message 
On 17/12/13 19:20, Ferenc Kovacs wrote:

It's similar to saying that we shouldn't provide a default php.ini because
they are always always always overridden, everywhere.

We are the php project, we are one of the best group of people to provide
default php.ini settings.
On the other hand we have 0 experience of managing root CA lists, and there
are people out there already, who are already doing that (shipping CA
bundle).
A better example would be pspell: using it you need a dictionary, but we
didn't ship that, we trust the user to have them.



It doesn't make sense to provide less than what is required for everything
to function properly, even if it's overridden that shouldn't be our
concern, we should just concern ourselves with distributing working source
code, as always, package maintenance is nothing to do with us.


CA bundle isn't source code, we don't need it, users to, it isn't necessary
our job to provide them with, and most of the other project seems to put
this "burden" to the user/distro.


It would be nice if the ca bundle wasn't provided in the same tarball. It can be done as two links for downloading php.

For maintenance, it would be nice to reuse an existing bundle (such as Debian ca-certificates or curl's).

At this point, the only thing needed is to add a link at http://www.php.net/downloads.php to download that existing file (and probably include it in php mirrors).


Finally, I would make php, in absence of|an openssl.cafile directive, to attempt finding it from a hardcoded path (set in configure)| to the usual location for the host, so setups with no php.ini or reusing an old php.ini still work .
Plus add a configure warning if it didn't find a proper file in such place. Eg.
***********************************************************************************************************
* Warning: No CA bundle was found in the location given by --cafile-path (/etc/ssl/certs/ca-certificates.crt) *
* SSL connections from PHP won't work unless a proper file is specified 
with|openssl.cafile in php.ini    *
|* See http://www.php.net/cafile for details.                                                                                                         *

***********************************************************************************************************

Thread (29 messages)

« previous php.internals (#70723) next »