On Thu, Sep 19, 2013 at 2:02 PM, Pierre Joye <pierre....@gmail.com> wrote:
>
> On Sep 18, 2013 6:07 PM, "Tjerk Anne Meesters" <datib...@php.net> wrote:
> >
> > On Thu, Sep 19, 2013 at 8:33 AM, Ángel González <keis...@gmail.com>
> wrote:
> >
> > > On 16/09/13 15:58, Daniel Lowrey wrote:
> > >
> > >> More generally, PHP's stream encryption aspects are quite poorly
> > >> documented. For example, https:// streams disable peer verification
> by
> > >> default. While I understand that this is necessary to provide the
> easiest
> > >> possible user experience for things like `file_get_contents("
> > >> https://somesite.com";)`, it's also horribly insecure. 99% of people
> using
> > >> tools like this won't know anything about this "feature" and won't
> realize
> > >> that their stream transfers are totally vulnerable to
> Man-in-the-Middle
> > >> attacks by default.
> > >>
> > > Count me as one of those that didn't know https:// streams didn't
> verify
> > > certificates. :)
> > > *I consider this a bug* I understand that it's easier to code not
> > > verifying the
> > > peer, and the hostname may not be available when you are stacking ssl
> over
> > > a stream.
> > > But file_get_contents("https://...**";) is *precisely* the case that
> > > should work right
> > > out of the box.
> >
> >
> > To be practical, verifying certificates requires an up-to-date CA bundle
> to
> > be shipped with PHP; perhaps this is a simple thing to do, I'm not sure.
> > This is an oft seen scenario for cURL; the developer would see the
> > certificate issue, search online and continue with `CURLOPT_VERIFY_PEER
> =>
> > 0`. That said, at least cURL is configured to check the certificate by
> > default.
> >
>
> FYI, curl allows to give the path to a cert db, it can be set in php.ini
> too (if I remember correctly)
>
Yes, I know that. This can also be done with the ca_file / ca_path context
options when you use streams. My point is that you need a reasonably
up-to-date certs bundle to enable verification by default.
It could be impractical to ship such a bundle with php itself, in which
case one might consider updating the documentation to highlight where such
cert bundles can be downloaded from.
--
--
Tjerk
