Re: [VOTE] Improved TLS Defaults RFC

From: Date: Wed, 12 Feb 2014 13:19:04 +0000
Subject: Re: [VOTE] Improved TLS Defaults RFC
References: 1 2 3 4 5 6  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
On Wed, Feb 12, 2014 at 8:08 AM, Chris Wright <[email protected]> wrote:

> On 12 February 2014 12:50, Daniel Lowrey <[email protected]> wrote:
> > 1. Infinite descent is not an issue because, if unspecified, OpenSSL will
> > default to a verify depth of 9 as documented here:
> >
> > https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
>
> I would suggest that we set a default of 9 at the PHP level. I would
> prefer not to rely on OpenSSL always having a sane default. What with
> the docs (for OpenSSL) being updated so infrequently and people just
> generally configuring systems in idiotic ways it makes sense to me to
> accept OpenSSL's stated default value, but to impose it manually
> ourselves.
>
> I personally feel that more control we have over these settings the
> better, I'd rather not rely on any 3rd party doing anything sensibly.
>
> Thanks, Chris
>

Fair enough. Do we see value in exposing an
OPENSSL_DEFAULT_STREAM_VERIFY_DEPTH constant to userland?

Thread (16 messages)

« previous php.internals (#72517) next »