rdlowrey

[RFC] TLS Peer Verification

• Verify peer certificates in client streams by default
• Use operating system managed default cert stores if not otherwise specified
• Windows is still an issue as it uses different cert format (I'm working on it)

[RFC] Improved TLS Defaults

• Makes everything SSL/TLS more secure without any user knowledge required
• Vastly improved support for encrypted stream servers (a-la node.js)

rdlowrey

<?php
$ch = curl_init();

// 1: only verify that the peer cert HAS a name field
// 2: verify that the name ACTUALLY matches the domain you connected to
// true: cast to 1
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true);

// Mercifully the newest versions of libcurl now disable 1 for this setting.
// This is a prime example of undetectable scalar conversion catastrophe.

rdlowrey

<?php
function countCpuCores() {
    $os = (stripos(PHP_OS, "WIN") === 0) ? "win" : strtolower(trim(shell_exec("uname")));
    switch ($os) {
        case "win":
            $cmd = "wmic cpu get NumberOfCores";
            break;
        case "linux":
            $cmd = "cat /proc/cpuinfo | grep processor | wc -l";
            break;

rdlowrey

<?php

function myHttpHandler(Request $request, Response $response) {
    // async function that returns a promise
    // we use yield to wait for that promise to resolve then resume here
    // if there's some kind of error it will be thrown into our generator
    $session = yield loadSessionFromRequest($request);
    
    if ($session->hasValue('isLoggedIn')) {
        // pass the individual promises from generateHttpBody() through using `yield from`

rdlowrey

Name/Value Parameters in PHP's HTTP Request Modeling

For many PHP devs, their first experience with HTTP request parameters comes in the form of the $_GET and $_POST superglobals. These globally accessible arrays are an easily digestable abstraction of the HTTP spec. Indeed, for basic applications operating only in the context of common browser user-agents, these eminently accessible parameter collections work well.

But there are some significant problems with $_GET and $_POST under the surface:

rdlowrey

<?php

class Worker extends \Worker {
    
    function run() {
        // &$this ref required to avoid segfault
        register_shutdown_function([&$this, 'onShutdown']);
    }
    
    private function onShutdown() {

rdlowrey

PHP disables SSL/TLS peer verification by default. While this design decision significantly simplifies encrypted HTTP retrieval, it also means your transfers are totally vulnerable to Man-in-the-Middle attacks. To fully secure our transfers we need to verify that the party at the other end of our transfer is actually who they say they are.

To accomplish this we need two things:

1. A CA file (in .PEM format) so we can tell openssl which certificate authorities we trust
2. A stream context that specifies this CA file and instructs openssl to verify the other party

We can easily obtain the same CA file (direct link to .pem file) used by the Mozilla Foundation (the exact one cURL uses, BTW). This file is usually updated a handful of times each year and it's important to keep your CA file up-to-date or you risk trusting certificate authorities that are known to be insecure/unsafe. This kind of thing doesn't happen often, but it's important to upd

rdlowrey

100k Requests -- 100 concurrent clients

ab -n 100000 -c 100 -k http://127.0.0.1:1337/

Server Software:        
Server Hostname:        127.0.0.1
Server Port:            1337

Document Path:          /

rdlowrey

Keybase proof

I hereby claim:

• I am rdlowrey on github.
• I am dlowrey (https://keybase.io/dlowrey) on keybase.
• I have a public key whose fingerprint is BA24 A9CC 19EE 0EBA 2078 1F9F AEE1 B63D FC9D 0D88

To claim this, I am signing this object:

rdlowrey

Keybase proof

I hereby claim:

• I am rdlowrey on github.
• I am rdlowrey (https://keybase.io/rdlowrey) on keybase.
• I have a public key ASBeQKDHmLVbYmkyKlQ5gtlC1y41gcvv-rSB4tYjNJBqago

To claim this, I am signing this object: