On Fri, Feb 21, 2014 at 7:31 PM, Chris Wright <[email protected]> wrote:
> Following on from this thread and Daniel's excellent work on TLS
> improvements, and liaising heavily with Daniel off-list, I have
> created a PR [1] of some work I have done to get peer verification
> working with Windows native certificate store.
>
> This is by far and away the most preferable option as it gives "out of
> the box" support for peer verification by default on Windows, and does
> not require any additional certificate bundles or configuration. It
> also allows us to take advantage of trust updates rolled out via MS
> update systems.
>
> The implementation is complete in that it supports all existing
> features, although it needs a little polishing and some edge cases
> covering before it can be merged. The only definite known issue at the
> time of writing is that the method for fetching the CN from the
> certificate incorrectly assumes that the returned data will always be
> UTF-8 encoded, a solution for this is planned and will be implemented
> in the next day or two.
>
> I am by no means an expert on the subject matter here in any respect,
> so I encourage ruthless code review.
>
> Note that there are no new features here, it is simply looking to fill
> in the gaps in the recent work by providing consistency on Windows.
>
> [1] https://github.com/php/php-src/pull/601
>
Count me as a big +1 on this. Delegating out to the OS is the only good
solution and managing/distributing our own CA store is asking for trouble.
That said, I don't have any familiarity with the windows APIs in this area.
I'll be testing, poking and prodding the code in the next couple of days,
though.