On Thu, Sep 19, 2013 at 2:07 AM, Tjerk Anne Meesters <tjerk.meest...@gmail.com> wrote: > To be practical, verifying certificates requires an up-to-date CA bundle > to be shipped with PHP; perhaps this is a simple thing to do, I'm not > sure.
Unfortunately it isn't. It's easily possible to ship a current CA bundle *at the point when PHP is built/installed* but this needs to be *kept* up to date in order to remain useful. In the real world, people don't update production servers with every new release and the CA bundle that was correct at the time of print (as it were) would soon become outdated - although arguably an outdated bundle is better than nothing. IMHO the only real solution to this issue is education - the docs need some big fat red boxes along the lines of "in order for this to be useful you need an up to date CA bundle, it's dead easy to set up, here's how you do it". A fairly decent root CA bundle can be obtained and kept current with a simple cron/wget for http://curl.haxx.se/ca/cacert.pem - this is not the best source in the world but it is probably the simplest to explain to the common man. I figure that a CA bundle that may contain a couple of less than trustworthy certs (see http://sourceforge.net/p/curl/bugs/1178/) is better than completely disabling peer verification. On the same note, I suppose that shipping this bundle with PHP is better than nothing. On Thu, Sep 19, 2013 at 1:46 AM, Ryan McCue <li...@rotorised.com> wrote: > PHP can't handle subjectAltNames in certificates, which causes quite a > few failures. +1, I've been bitten by this a couple of times, it definitely needs fixing. On Thu, Sep 19, 2013 at 3:58 AM, Daniel Lowrey <rdlow...@gmail.com> wrote: > P.S. Thank you to whomever updated > http://php.net/manual/en/context.ssl.php to reflect the > "disable_compression" SSL stream context option (and subsidized my > laziness) :) You're welcome :-) You've got your work cut out breaking your own undocumented API, no time for updating other people's docs :-P On Thu, Sep 19, 2013 at 7:10 AM, Pierre Joye <pierre....@gmail.com> wrote: > FYI, curl allows to give the path to a cert db, it can be set in php.ini > too (if I remember correctly) You do. Were PHP to be shipped with a default CA bundle, it would be nice to see the default ini files preconfigured with this, *however* PHP requires that curl.cafile be an absolute path, which could cause issues here. I don't know how difficult it would be to accept something that could be unambiguous without being absolute? I would suggest that if we were to ship a default CA bundle, it be included in the "extras" directory in the Windows builds. Thanks, Chris -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
