Hi Bryan,
On Thu, Sep 19, 2013 at 9:29 PM, Bryan C. Geraghty <[email protected]>wrote:
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf
> Of Tjerk Anne Meesters
> Sent: Thursday, September 19, 2013 4:01 AM
>
> > My point is that you need a reasonably up-to-date certs bundle to enable
> verification by default.
>
> Actually, you don't. There is no reason why certificate validation cannot
> be
> enabled by default without a CA bundle. Yes, verifications will fail by
> default but this is no different than the cases where someone has an
> oddball
> provider or self-signed certificates; they have to manually add the cert
> for
> verification to pass.
>
For the most part, API libraries I've seen handle this scenario by shipping
a certificate bundle with their code. The verification setting obviously
does not apply to them, because they're handling it themselves or they
don't use streams at all.
However, I can imagine the bulk of developers will want the
file_get_contents('https://example.org') to *just work* and flipping
that
switch between versions will likely upset a horde of them.
>
> Additionally, given the current certificate climate, I wouldn't trust
> anything signed by the global CAs. If you're concerned about security, you
> should be validating the certificate fingerprint and not trusting CAs.
>
That feature is currently not very well supported in streams. However, I'm
working on a proposal to introduce [openssl_x509_digest()] which would make
this possible:
$context = stream_context_create([
'ssl' => [
'capture_peer_cert' => true,
]]);
$f = fopen($url, 'rt', false, $context);
$options = stream_context_get_options($context);
openssl_x509_digest($options['ssl']['peer_certificate'], $result);
echo "SHA1 fingerprint = ", bin2hex($result), "\n";
https://github.com/datibbaw/php-src/commit/b8f9a20286c6d88c11e81967df42d118bdba2f02
>
> Bryan
>
>
--
--
Tjerk