On Sat, Sep 21, 2013 at 10:18 PM, Daniel Lowrey <rdlow...@gmail.com> wrote:
> Hello security-conscious internals people!
>
> I've got (what believe to be) a pretty good working solution for the
> problem of insecure-by-default stream encryption. I need to do some more
> thorough testing before pushing it upstream to a public fork but here's the
> quick and dirty:
>
Sounds really great! One minor nitpick:
- Global CA path defaults may be specified via new "openssl.cafile" and
> "openssl.capath" php.ini directives. This has the advantage mentioned
> upthread of allowing distros to customize the .ini file to point to an
> existing CA file.
>
> - Global CA path defaults may be specified at runtime via two new
> functions:
> + bool openssl_set_default_cafile(string $cafile)
> + bool openssl_set_default_capath(string $capath)
>
Why do we need these functions? Can't you just specify it with
ini_set('openssl.cafile', $file)? I don't immediately see why we need
additional functions to set those ini options.
Nikita
