hi Chris!
On Sat, Feb 22, 2014 at 1:31 AM, Chris Wright <[email protected]> wrote:
> Following on from this thread and Daniel's excellent work on TLS
> improvements, and liaising heavily with Daniel off-list, I have
> created a PR [1] of some work I have done to get peer verification
> working with Windows native certificate store.
Very good job! I like it! Thanks.
> This is by far and away the most preferable option as it gives "out of
> the box" support for peer verification by default on Windows, and does
> not require any additional certificate bundles or configuration. It
> also allows us to take advantage of trust updates rolled out via MS
> update systems.
>
> The implementation is complete in that it supports all existing
> features, although it needs a little polishing and some edge cases
> covering before it can be merged. The only definite known issue at the
> time of writing is that the method for fetching the CN from the
> certificate incorrectly assumes that the returned data will always be
> UTF-8 encoded, a solution for this is planned and will be implemented
> in the next day or two.
>
> I am by no means an expert on the subject matter here in any respect,
> so I encourage ruthless code review.
>
> Note that there are no new features here, it is simply looking to fill
> in the gaps in the recent work by providing consistency on Windows.
I have however some doubts about doing that now (not sure if I raised
these points already).
Using Windows CA store is a good thing, from a theoretical point of
view. However it brings a couple of issues with it. The 1st one is
compatibility, it is a different system using different methods to
store, add or manage certificate. One of the key point we try to keep
in PHP is almost 100% compatibility between Windows and other
platforms. That's one of the main reasons why I did not implement SSL
support using WInSSL APIs back then for 5.3.0.
I am also not sure about the impact this change will have on existing
code using more advanced features (context, environment customization,
etc) of openssl, be with stream or with openssl only. It may impact
performance as well a little bit but I need to test it first to
compare, did you try to see if there are performance regressions?
At the end, I would prefer to have full support of the Windows Crypto
APIs and OpenSSL using one single and unified APIs. The new crypto
APIs could be a good base for that. We can then provide two builds,
one for openssl and one for the Windows Crypto API support. This is
what we do in Curl for example.
I hope you do not take this reply as a bad reply, I really appreciate
this patch and the effort you put in it. But I have to say that I am
not in favor of doing that in 5.6.0 and not only for this area in any
other major version. A more global approach will be more beneficial
and may bring less confusion to our users. It will also reduce support
requests from windows users as well, who are following the numerous
documentation out there about working with openssl on windows, from
various areas.
Cheers,
--
Pierre
@pierrejoye | http://www.libgd.org