Re: [VOTE] Improved TLS Defaults RFC

From:	Chris Wright	Date:	Wed, 12 Feb 2014 13:08:41 +0000
Subject:	Re: [VOTE] Improved TLS Defaults RFC
References:	1 2 3 4 5	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On 12 February 2014 12:50, Daniel Lowrey <[email protected]> wrote:
> 1. Infinite descent is not an issue because, if unspecified, OpenSSL will
> default to a verify depth of 9 as documented here:
>
> https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

I would suggest that we set a default of 9 at the PHP level. I would
prefer not to rely on OpenSSL always having a sane default. What with
the docs (for OpenSSL) being updated so infrequently and people just
generally configuring systems in idiotic ways it makes sense to me to
accept OpenSSL's stated default value, but to impose it manually
ourselves.

I personally feel that more control we have over these settings the
better, I'd rather not rely on any 3rd party doing anything sensibly.

Thanks, Chris


   

Thread (16 messages)

• Daniel LowreyTue, 11 Feb 2014 20:08:05 +0000
  • Stas MalyshevTue, 11 Feb 2014 21:16:29 +0000
    • Daniel LowreyTue, 11 Feb 2014 21:53:03 +0000
      • Stas MalyshevTue, 11 Feb 2014 23:43:00 +0000
        • Daniel LowreyWed, 12 Feb 2014 03:18:34 +0000
          • Stas MalyshevWed, 12 Feb 2014 06:33:49 +0000
            • Daniel LowreyWed, 12 Feb 2014 12:55:37 +0000
      • Pádraic BradyWed, 12 Feb 2014 12:17:55 +0000
        • Daniel LowreyWed, 12 Feb 2014 12:50:52 +0000
          • Chris WrightWed, 12 Feb 2014 13:08:41 +0000
            • Daniel LowreyWed, 12 Feb 2014 13:19:04 +0000
              • Chris WrightWed, 12 Feb 2014 13:56:22 +0000
  • Peter CowburnTue, 11 Feb 2014 21:27:00 +0000
    • Adam HarveyTue, 11 Feb 2014 21:33:29 +0000
    • Daniel LowreyTue, 11 Feb 2014 22:01:43 +0000
• Daniel LowreyThu, 20 Feb 2014 20:04:19 +0000Re: [VOTE] Improved TLS Defaults RFC