Re: Windows Peer Verification

From:	Sanford Whiteman	Date:	Mon, 03 Feb 2014 18:35:22 +0000
Subject:	Re: Windows Peer Verification
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

I'll accept this as a delayed *bump* of my last post on the topic. ;)

> 1. Disable peer-verification by default in windows builds. Personally, I
> don't see this as a valid option as it's terrifically insecure. I believe
> it's better to fail with a warning than allow users to believe they're
> conducting safe transfers when they're 100% vulnerable to Man-in-the-Middle
> attacks.

We can't have Windows swallowing the error while other OSes do not.
Remember that not only do we have Windows production servers, but also
people developing against local Windows installs but rolling out to
other OSes.

Also, the change applies not just to CAs in the public bundle but to
private CAs that will now need to be manually trusted (on all OSes).
You want to flag this problem as early as possible in development.

I don't consider any lowered security restrictions on a Windows build
(of the same PHP version) acceptable. That would be akin to
prescribing PHP-Windows for "toy use only."

> 2. Do nothing and document heavily. Peer verification failures will already
> generate an informative error message. Beyond this, the steps required by a
> windows user to make peer verification work by default are extremely simple:

>     - Download this file: http://curl.haxx.se/ca/cacert.pem (or equivalent)
>     - openssl.cafile = C:/path/to/cacert.pem (in php.ini)

> Also, we could easily generate a painfully explicit E_WARNING in windows
> explaining exactly how to fix the problem in the absence of the requisite
> configuration.

If [2] is necesssary, then we should accept the burden of being as
verbose as possible.

> 3. Include the same PEM-formatted CA file curl distributes with windows PHP
> binaries and pre-populate the relevant php.ini directive. I don't *think*
> this would come with any licensing issues as the curl cacert file is
> licensed under the same licenses as the Mozilla source file it draws from
> (MPL 1.1, GPL v2.0 or LGPL 2.1). However, I'm not an expert in these
> matters, so others would likely need to comment.

I have no idea about the licensing burdens, but [3] is vastly
preferred if available. Encumbering Windows users with manual
configuration when WPI is supposed to be a package managaer.  

Another related possibility (if it eases licensing worries somehow) is
having a separate WPI package for "PHP CA Bundle" -- so it can be
maintained + licensed + removed separately. I know you can make one
WPI depend on another (like with the Windows Role/Feature manager et
al.).

-- Sandy



   

Thread (53 messages)

• Daniel LowreyMon, 03 Feb 2014 18:08:26 +0000
  • Pierre JoyeMon, 03 Feb 2014 18:25:33 +0000
    • Daniel LowreyMon, 03 Feb 2014 18:46:38 +0000
      • Pierre JoyeMon, 03 Feb 2014 18:49:33 +0000
        • Ferenc KovacsMon, 03 Feb 2014 19:00:44 +0000
      • Sanford WhitemanMon, 03 Feb 2014 18:59:38 +0000
        • Pádraic BradyMon, 03 Feb 2014 19:33:54 +0000
  • Sanford WhitemanMon, 03 Feb 2014 18:35:22 +0000
  • Chris WrightSat, 22 Feb 2014 00:31:28 +0000
    • Daniel LowreySat, 22 Feb 2014 00:58:44 +0000
    • Pierre JoyeSat, 22 Feb 2014 08:30:11 +0000
      • Chris WrightSat, 22 Feb 2014 10:51:14 +0000
        • Daniel LowreySat, 22 Feb 2014 13:12:40 +0000
        • Pierre JoyeSat, 22 Feb 2014 13:19:27 +0000
          • Chris WrightSat, 22 Feb 2014 22:59:30 +0000
          • Jakub ZelenkaSun, 23 Feb 2014 15:25:27 +0000
    • Ferenc KovacsTue, 25 Feb 2014 16:38:51 +0000
    • Chris WrightWed, 26 Feb 2014 09:48:38 +0000
      • Anatol BelskiWed, 26 Feb 2014 10:39:04 +0000
        • Chris WrightWed, 26 Feb 2014 11:09:31 +0000
          • Anatol BelskiWed, 26 Feb 2014 11:35:07 +0000
            • Chris WrightWed, 26 Feb 2014 11:57:27 +0000
              • Anatol BelskiWed, 26 Feb 2014 15:37:05 +0000
                • Chris WrightSun, 02 Mar 2014 21:07:19 +0000
• Daniel LowreyMon, 03 Feb 2014 19:19:36 +0000Re: Windows Peer Verification
  • Daniel LowreyMon, 03 Feb 2014 19:27:01 +0000
    • Pierre JoyeMon, 03 Feb 2014 19:39:31 +0000Re: Re: Windows Peer Verification
  • Sanford WhitemanMon, 03 Feb 2014 19:33:39 +0000Re: Re: Windows Peer Verification
    • Daniel LowreyMon, 03 Feb 2014 19:44:01 +0000
      • Sanford WhitemanMon, 03 Feb 2014 20:34:38 +0000
      • Daniel LowreyMon, 03 Feb 2014 21:45:44 +0000
        • Sanford WhitemanMon, 03 Feb 2014 22:17:26 +0000
          • Sanford WhitemanMon, 03 Feb 2014 22:21:08 +0000
          • Pádraic BradyMon, 03 Feb 2014 23:41:02 +0000
            • Sanford WhitemanMon, 03 Feb 2014 23:56:46 +0000
              • Pádraic BradyTue, 04 Feb 2014 00:29:29 +0000
                • Sanford WhitemanTue, 04 Feb 2014 00:32:39 +0000
            • Sanford WhitemanTue, 04 Feb 2014 00:05:03 +0000
              • Sanford WhitemanTue, 04 Feb 2014 00:36:12 +0000
        • Pierre JoyeTue, 04 Feb 2014 05:46:47 +0000
          • Sanford WhitemanTue, 04 Feb 2014 05:58:40 +0000
            • Pierre JoyeTue, 04 Feb 2014 06:14:43 +0000
              • Lester CaineTue, 04 Feb 2014 07:38:31 +0000
                • Pierre JoyeTue, 04 Feb 2014 07:39:14 +0000
                  • Lester CaineTue, 04 Feb 2014 07:57:24 +0000
                    • Pierre JoyeTue, 04 Feb 2014 08:00:12 +0000
                      • Lester CaineTue, 04 Feb 2014 08:29:53 +0000
                        • Pierre JoyeTue, 04 Feb 2014 08:35:19 +0000
                          • Lester CaineTue, 04 Feb 2014 09:03:02 +0000
                            • Pierre JoyeTue, 04 Feb 2014 09:24:06 +0000
                              • Sanford WhitemanThu, 06 Feb 2014 06:13:39 +0000
                                • Ferenc KovacsThu, 06 Feb 2014 14:09:49 +0000
  • Sanford WhitemanMon, 03 Feb 2014 19:37:49 +0000Re: Re: Windows Peer Verification