Hi Bryan, On Thu, Sep 19, 2013 at 9:29 PM, Bryan C. Geraghty <br...@ravensight.org>wrote:
> -----Original Message----- > From: tjerk.meest...@gmail.com [mailto:tjerk.meest...@gmail.com] On Behalf > Of Tjerk Anne Meesters > Sent: Thursday, September 19, 2013 4:01 AM > > > My point is that you need a reasonably up-to-date certs bundle to enable > verification by default. > > Actually, you don't. There is no reason why certificate validation cannot > be > enabled by default without a CA bundle. Yes, verifications will fail by > default but this is no different than the cases where someone has an > oddball > provider or self-signed certificates; they have to manually add the cert > for > verification to pass. > For the most part, API libraries I've seen handle this scenario by shipping a certificate bundle with their code. The verification setting obviously does not apply to them, because they're handling it themselves or they don't use streams at all. However, I can imagine the bulk of developers will want the `file_get_contents('https://example.org')` to *just work* and flipping that switch between versions will likely upset a horde of them. > > Additionally, given the current certificate climate, I wouldn't trust > anything signed by the global CAs. If you're concerned about security, you > should be validating the certificate fingerprint and not trusting CAs. > That feature is currently not very well supported in streams. However, I'm working on a proposal to introduce [openssl_x509_digest()] which would make this possible: $context = stream_context_create([ 'ssl' => [ 'capture_peer_cert' => true, ]]); $f = fopen($url, 'rt', false, $context); $options = stream_context_get_options($context); openssl_x509_digest($options['ssl']['peer_certificate'], $result); echo "SHA1 fingerprint = ", bin2hex($result), "\n"; https://github.com/datibbaw/php-src/commit/b8f9a20286c6d88c11e81967df42d118bdba2f02 > > Bryan > > -- -- Tjerk
