Honestly that didn't even occur to me. I'd *much* rather kill the
additional functions like you suggest. As long as I am not forced to use a
PHP.ini to run I'm happy. ini_set() works fine for this and unless someone
has a compelling reason not to I'll nix the functions.
On Saturday, September 21, 2013, Nikita Popov wrote:
>
> On Sat, Sep 21, 2013 at 10:18 PM, Daniel Lowrey
> <rdlow...@gmail.com<javascript:_e({}, 'cvml', 'rdlow...@gmail.com');>
> > wrote:
>
>> Hello security-conscious internals people!
>>
>> I've got (what believe to be) a pretty good working solution for the
>> problem of insecure-by-default stream encryption. I need to do some more
>> thorough testing before pushing it upstream to a public fork but here's
>> the
>> quick and dirty:
>>
>
> Sounds really great! One minor nitpick:
>
> - Global CA path defaults may be specified via new "openssl.cafile" and
>> "openssl.capath" php.ini directives. This has the advantage mentioned
>> upthread of allowing distros to customize the .ini file to point to an
>> existing CA file.
>>
>> - Global CA path defaults may be specified at runtime via two new
>> functions:
>> + bool openssl_set_default_cafile(string $cafile)
>> + bool openssl_set_default_capath(string $capath)
>>
>
> Why do we need these functions? Can't you just specify it with
> ini_set('openssl.cafile', $file)? I don't immediately see why we need
> additional functions to set those ini options.
>
> Nikita
>
>
