php-yubico icon indicating copy to clipboard operation
php-yubico copied to clipboard

Published 20 hours ago verified publisher icon Yubico

Dangerous Option

Open StormTide opened this issue 11 years ago • 2 comments

https://github.com/Yubico/php-yubico/blob/master/Yubico.php#L331 and the httpsverify option.

This option should be removed. Theres never a time you could safely disable peer verification. Correct fix for validation/self-signed issues is to apply a cainfo/cabundle rather than disable peer verification.

StormTide avatar Jan 07 '14 17:01 StormTide

Agreed, in production there is never a time when you should be disabling peer verification. But I don't see the issue of having the option for a dev env, and defaulting to having the httpsverify turned on.

AngeloR avatar Jan 20 '14 21:01 AngeloR

If you want to configure a testing cert in development, you should provide a cainfo/cafile to validate against. However, this always talks to a real server anyway, so shouldnt be failing ssl validation unless the server is broken (ie doesnt have a bundle)... Code like this tends to get left on, and configured in production. Hence its a dangerous option to leave in.

StormTide avatar Jan 20 '14 21:01 StormTide