-
Notifications
You must be signed in to change notification settings - Fork 24
By default require SSL connections to be encrypted *and* authenticated #209
Conversation
My ideaExtract (or symlink) during setup into the same directory as $ ls -1l .xp/
insgesamt 4
-rwxr-xr-x 1 friebe Domänen-Benutzer 1077 18. Dez 18:04 xp.ini
-rw-r--r-- 1 friebe Domänen-Benutzer 745032 1. Mrz 2012 ca-bundle.trust.crt ...and set a This would have the benefit that users could add their local staging SSL certificates here extremely easy by simply putting the Inside the implementations, we'd use |
For Windows, http://www.yesjames.com/index.php/2011/10/yubikey-ssl-certificate-verification-in-php-for-windows/ might be a starting point:
[...]
This can also be done by executing
This results in https://gist.github.com/4329481 This would need to be done by a scriptable utility though |
Another idea might be to follow http://www.openssl.org/support/faq.html#USER16, which states:
...but instead of exec'ing |
Testing the implementation: # Shell Window #1
$ openssl s_server -WWW -cert server.pem
# Shell Window #2
$ xp -w 'uses("peer.http.HttpConnection"); create(new HttpConnection("https://localhost:4433/"))->get()' The client certificate (created by |
Build results will soon be (or already are) available at: http://xpsrv.net:8080/job/xp-framework-pull-request-builder/2/ |
This has become obsolete; as of PHP 5.6, PHP handles this by itself. |
It does for ext/openssl, but not in ext/curl nor in ext/ldap... |
Yap, but then still, won't be fixed in xp-framework/xp-framework ... |
If only using encryption MITM attacks are easily possible, so the framework's default should be changed.
However, this pull requests first serves as a discussion playground for this: to verify a peer certificate, one needs to have a list of trusted root CAs. If missing, no peer certificate will be accepted. The list can change over time, though, so bundling it with the framework is not a good option.
It should be best to use the list of CAs from the system, but there is probably no portable way of finding them. Maybe someone has any insights to this.
On cygwin, there's a bundle of certs here:
-> % ls /usr/ssl/certs README.RootCerts ca-bundle.crt ca-bundle.trust.crt demo expired
On gentoo, it is here (another - probably more suitable format):
On debian, it seems to be the same directory & format.