Dangerous Option #6

Open
StormTide opened this Issue Jan 7, 2014 · 2 comments

Projects

None yet

2 participants

@StormTide

https://github.com/Yubico/php-yubico/blob/master/Yubico.php#L331 and the httpsverify option.

This option should be removed. Theres never a time you could safely disable peer verification. Correct fix for validation/self-signed issues is to apply a cainfo/cabundle rather than disable peer verification.

@AngeloR
AngeloR commented Jan 20, 2014

Agreed, in production there is never a time when you should be disabling peer verification. But I don't see the issue of having the option for a dev env, and defaulting to having the httpsverify turned on.

@StormTide

If you want to configure a testing cert in development, you should provide a cainfo/cafile to validate against. However, this always talks to a real server anyway, so shouldnt be failing ssl validation unless the server is broken (ie doesnt have a bundle)... Code like this tends to get left on, and configured in production. Hence its a dangerous option to leave in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment