Following on from this thread and Daniel's excellent work on TLS
improvements, and liaising heavily with Daniel off-list, I have
created a PR [1] of some work I have done to get peer verification
working with Windows native certificate store.
This is by far and away the most preferable option as it gives "out of
the box" support for peer verification by default on Windows, and does
not require any additional certificate bundles or configuration. It
also allows us to take advantage of trust updates rolled out via MS
update systems.
The implementation is complete in that it supports all existing
features, although it needs a little polishing and some edge cases
covering before it can be merged. The only definite known issue at the
time of writing is that the method for fetching the CN from the
certificate incorrectly assumes that the returned data will always be
UTF-8 encoded, a solution for this is planned and will be implemented
in the next day or two.
I am by no means an expert on the subject matter here in any respect,
so I encourage ruthless code review.
Note that there are no new features here, it is simply looking to fill
in the gaps in the recent work by providing consistency on Windows.
[1] https://github.com/php/php-src/pull/601