Hi all, Zend_Http_Client doesn't currently allow secure HTTPS, all service libs based on Zend_Http_Client using HTTPS are working in an insecure way.
Therefore I decided to start a new flame war ;-) It's about SSL, validating server certificates using CAs / "well known" CAs and so on. You can find some discussion regarding this topic on today's #zftalk.dev log: http://zftalk.com/logs/view/zftalk.dev/2008/10/29/ Adding the possibility to validate server certs is IMO a must, but there will be for sure be different opinions on CA handling and ZF's default settings: Allow certificate validation ---------------------------- I'm really unhappy with Zend_Http_Client's "HTTPS implementation". There should either be added at least the possibility to validate server certificates (also hostname checks etc) or there needs to be a big fat note in Zend_Http_Client docs making developers aware that there is currently no official way to get secure HTTPS connections as long as not using the Curl Adapter from Standard_Incubator. Btw: the Curl Adapter does certificate validation per default, to switch it off you have to provide a Curl option. Implementation / CAs -------------------- - ZF could either ship it's own list of CA-certs or use the ones provided by the operating system - Debian-like distros install a package named "ca-certificates" - Windows ships with well-known CAs, no idea how to use them Default settings ---------------- Unfortunately switching validation on per default is not an option as it would break currently working applications. I would suggest to change this with ZF 2.0 - as other libs / languages I know (CURL, Java, C# etc) are doing so out of the box. And in my believes this is the only correct way of using HTTPS. If someone wants to do insecure things he is free to do so, but he has to explicitly switch checks off. That's all for now! Best regards, Thomas Gelf
