Re: Re: PHP Crypt functions - security audit

From:	Daniel Lowrey	Date:	Sat, 21 Sep 2013 20:32:17 +0000
Subject:	Re: Re: PHP Crypt functions - security audit
References:	1 2 3 4 5 6 7 8 9	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Honestly that didn't even occur to me. I'd *much* rather kill the
additional functions like you suggest. As long as I am not forced to use a
PHP.ini to run I'm happy. ini_set() works fine for this and unless someone
has a compelling reason not to I'll nix the functions.

On Saturday, September 21, 2013, Nikita Popov wrote:

>
> On Sat, Sep 21, 2013 at 10:18 PM, Daniel Lowrey <[email protected]<javascript:_e({},
> 'cvml', '[email protected]');>
> > wrote:
>
>> Hello security-conscious internals people!
>>
>> I've got (what believe to be) a pretty good working solution for the
>> problem of insecure-by-default stream encryption. I need to do some more
>> thorough testing before pushing it upstream to a public fork but here's
>> the
>> quick and dirty:
>>
>
> Sounds really great! One minor nitpick:
>
> - Global CA path defaults may be specified via new "openssl.cafile" and
>> "openssl.capath" php.ini directives. This has the advantage mentioned
>> upthread of allowing distros to customize the .ini file to point to an
>> existing CA file.
>>
>> - Global CA path defaults may be specified at runtime via two new
>> functions:
>>     + bool openssl_set_default_cafile(string $cafile)
>>     + bool openssl_set_default_capath(string $capath)
>>
>
> Why do we need these functions? Can't you just specify it with
> ini_set('openssl.cafile', $file)? I don't immediately see why we need
> additional functions to set those ini options.
>
> Nikita
>
>


   

Thread (25 messages)

• Daniel LowreyMon, 16 Sep 2013 13:58:38 +0000
  • Ángel GonzálezThu, 19 Sep 2013 00:33:48 +0000Re: Re: Re: PHP Crypt functions - security audit
    • Ryan McCueThu, 19 Sep 2013 00:35:58 +0000
    • Tjerk Anne MeestersThu, 19 Sep 2013 01:06:56 +0000
      • Daniel LowreyThu, 19 Sep 2013 02:51:02 +0000
        • Ryan McCueThu, 19 Sep 2013 06:23:55 +0000
          • Daniel LowreyThu, 19 Sep 2013 06:49:09 +0000
      • Pierre JoyeThu, 19 Sep 2013 06:02:56 +0000
        • Tjerk Anne MeestersThu, 19 Sep 2013 09:01:01 +0000
          • Bryan C. GeraghtyThu, 19 Sep 2013 13:29:35 +0000RE: [PHP-DEV] Re: Re: PHP Crypt functions - security audit
            • Daniel LowreyThu, 19 Sep 2013 17:52:27 +0000Re: Re: Re: PHP Crypt functions - security audit
              • Adam HarveyThu, 19 Sep 2013 21:41:18 +0000
                • Daniel LowreyThu, 19 Sep 2013 22:10:09 +0000
                • Ángel GonzálezFri, 20 Sep 2013 00:22:55 +0000
                • Pierre JoyeFri, 20 Sep 2013 00:31:11 +0000
                  • Adam HarveyFri, 20 Sep 2013 00:38:46 +0000
                    • Pierre JoyeFri, 20 Sep 2013 00:41:58 +0000
                      • Adam HarveyFri, 20 Sep 2013 00:48:26 +0000
            • Tjerk Anne MeestersFri, 20 Sep 2013 07:24:19 +0000Re: Re: Re: PHP Crypt functions - security audit
              • Daniel LowreySat, 21 Sep 2013 20:18:51 +0000
                • Nikita PopovSat, 21 Sep 2013 20:27:53 +0000
                  • Daniel LowreySat, 21 Sep 2013 20:32:17 +0000Re: Re: PHP Crypt functions - security audit
                • Daniel LowreyFri, 27 Sep 2013 03:59:54 +0000
      • Chris WrightThu, 19 Sep 2013 08:58:59 +0000RE: [PHP-DEV] Re: Re: PHP Crypt functions - security audit
        • Alain WilliamsThu, 19 Sep 2013 09:17:19 +0000Re: Re: Re: PHP Crypt functions - security audit