Hi all, About 2 month ago, we had a discussion on this list about the fact that CURLOPT_SSL_VERIFYHOST was most of the time used with a Boolean value (true) instead of int values (0,1 or 2). This bad usage was leading to some security issues. The result of this discussion was to trigger a notice if someone tried to set the CURLOPT_SSL_VERIFYHOST to true (boolean), and was committed to >= 5.4
On November 20th, Daniel (the author of libcurl) released cURL 7.28.1 which no longer support the 1 value for CURLOPT_SSL_VERIFYHOST. This change introduced some bugs as #63795 (you'll find the cause of the bug in the comments). To fix this bug, and to minimize as much as possible the impact of this change, I'm proposing to do the following changes in the libcurl extension for future releases : When using libcurl < 7.28.1, if someone try to set CURLOPT_SSL_VERIFYHOST to 1 (or true), set the value to 1, but trigger a notice to inform that this value is deprecated. When using libcurl >= 7.28.1 if someone try to set CURLOPT_SSL_VERIFYHOST to 1 (or true), set CURLOPT_SSL_VERIFYHOST to 2, trigger a notice to inform the user that this value is no longer supported as of libcurl 7.28.1 but keep returning true. Also, as stated by Remy in bug #63795, when PHP is built with curl-wrappers, the context option "curl_verify_ssl_host" sets CURLOPT_SSL_VERIFYHOST to 1. I would like to modify this code to set CURLOPT_SSL_VERIFYHOST to 2. Since curl-wrappers is still marked as experimental I don't think this will cause a lot of troubles. If you have any comment, please do, otherwise, I'll commit those changes on Friday to all branches (including 5.3). Thanks Pierrick -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
