Update NEWS/UPGRADING

diff --git a/NEWS b/NEWS
index 3b41c6a0550661d13b224355aa28d88b2a37e832..16bdf21858a61c1a646a89274520b570b04f262e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -69,6 +69,8 @@ PHP                                                                        NEWS
   . Peer name verification matches SAN DNS names for certs using
     the Subject Alternative Name x509 extension. (Daniel Lowrey)
   . Fixed segfault when built against OpenSSL>=1.0.1 (Daniel Lowrey)
+  . Peer certificates now verified by default in client socket operations
+    (RFC: https://wiki.php.net/rfc/tls-peer-verification). (Daniel Lowrey)
 
 - PDO_pgsql:
   . Fixed Bug #42614 (PDO_pgsql: add pg_get_notify support). (Matteo)

diff --git a/UPGRADING b/UPGRADING
index e59a6329189d946e389144ab01c3667f3036a314..675861597457b0be15eed5ecfce277606fe85130 100755 (executable)
--- a/UPGRADING
+++ b/UPGRADING
@@ -28,6 +28,17 @@ PHP X.Y UPGRADE NOTES
   containing non-lowercase values inside JSON arrays or objects has never been
   accepted.
 
+- openssl:
+  To prevent Man-in-the-Middle attacks against encrypted transfers client
+  streams now verify peer certificates by default. Previous versions
+  required users to manually enable peer verification. As a result of this
+  change, existing code using ssl:// or tls:// stream wrappers (e.g.
+  file_get_contents(), fsockopen(), stream_socket_client()) may no longer
+  connect successfully without manually disabling peer verification via the
+  stream context's "verify_peer" setting. Encrypted transfers delegate to
+  operating system certificate stores by default, so many/most users *should*
+  be unaffected by this transparent security enhancement.
+
 ========================================
 2. New Features
 ========================================