On Thu, Sep 19, 2013 at 5:38 PM, Adam Harvey <[email protected]> wrote:
> On 19 September 2013 17:31, Pierre Joye <[email protected]> wrote:
>> On Thu, Sep 19, 2013 at 2:41 PM, Adam Harvey <[email protected]> wrote:
>>> As for the CA bundle side of things, I wonder if this is one of those
>>> rare times where an ini setting might make sense, as opposed to actual
>>> bundling — that would allow distros to point to their packaged bundles
>>> without needing to patch php-src, and we could provide from-source
>>> installation instructions easily enough to point to common distro
>>> locations and the cURL download for users on more exotic OSes (like
>>> Windows).
>>
>> Windows supports that very well, with Curl for example. It can also
>> uses the OS certificates database.
>>
>> For the record here, curl has this setting already:
>>
>> http://us2.php.net/manual/en/curl.configuration.php#ini.curl.cainfo
>>
>> which is around for quite some time already.
>>
>> It could be possible to share it with openssl, but back then I did not
>> check it out as only curl was concerned.
>
> Is that something cURL provides, or that we do? A (very) cursory
> Google suggests that OpenSSL doesn't have support for the Windows
> certificate store natively, so we'd presumably have to patch that up
> (with a sensible default php.ini setting, if we went that way —
> "ssl.ca_bundle = win32", or something similar).
It does when you use curl's win32 SSL support. That makes my previous
point wrong as we do not compile it with this option but openssl (for
cross platform compatibility reasons). But as the curl's ca file works
just fine, everything is good.
Would it make sense to share that option for openssl itself?
>> One thing I do not remember off hand is if we actually enable cert
>> validation per default with php's curl. It should be as we discussed
>> that already many times.
>
> We do. I checked before the first e-mail. :)
Thanks :)
--
Pierre
@pierrejoye | http://www.libgd.org