On Thu, Sep 19, 2013 at 2:02 PM, Pierre Joye <pierre....@gmail.com> wrote:
> > On Sep 18, 2013 6:07 PM, "Tjerk Anne Meesters" <datib...@php.net> wrote: > > > > On Thu, Sep 19, 2013 at 8:33 AM, Ángel González <keis...@gmail.com> > wrote: > > > > > On 16/09/13 15:58, Daniel Lowrey wrote: > > > > > >> More generally, PHP's stream encryption aspects are quite poorly > > >> documented. For example, https:// streams disable peer verification > by > > >> default. While I understand that this is necessary to provide the > easiest > > >> possible user experience for things like `file_get_contents(" > > >> https://somesite.com")`, it's also horribly insecure. 99% of people > using > > >> tools like this won't know anything about this "feature" and won't > realize > > >> that their stream transfers are totally vulnerable to > Man-in-the-Middle > > >> attacks by default. > > >> > > > Count me as one of those that didn't know https:// streams didn't > verify > > > certificates. :) > > > *I consider this a bug* I understand that it's easier to code not > > > verifying the > > > peer, and the hostname may not be available when you are stacking ssl > over > > > a stream. > > > But file_get_contents("https://...**") is *precisely* the case that > > > should work right > > > out of the box. > > > > > > To be practical, verifying certificates requires an up-to-date CA bundle > to > > be shipped with PHP; perhaps this is a simple thing to do, I'm not sure. > > This is an oft seen scenario for cURL; the developer would see the > > certificate issue, search online and continue with `CURLOPT_VERIFY_PEER > => > > 0`. That said, at least cURL is configured to check the certificate by > > default. > > > > FYI, curl allows to give the path to a cert db, it can be set in php.ini > too (if I remember correctly) > Yes, I know that. This can also be done with the ca_file / ca_path context options when you use streams. My point is that you need a reasonably up-to-date certs bundle to enable verification by default. It could be impractical to ship such a bundle with php itself, in which case one might consider updating the documentation to highlight where such cert bundles can be downloaded from. -- -- Tjerk