From: Daniel Lowrey <rdlowrey@php.net>
Date: Tue, 28 Jan 2014 17:27:00 +0000 (-0700)
Subject: Update NEWS/UPGRADING
X-Git-Tag: php-5.6.0alpha2~1^2~29^2~6^2~3
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7a90254231eb419d2d7acfc5a3ce8c7f0e9ba181;p=php

Update NEWS/UPGRADING
---

diff --git a/NEWS b/NEWS
index 3b41c6a055..16bdf21858 100644
--- a/NEWS
+++ b/NEWS
@@ -69,6 +69,8 @@ PHP                                                                        NEWS
   . Peer name verification matches SAN DNS names for certs using
     the Subject Alternative Name x509 extension. (Daniel Lowrey)
   . Fixed segfault when built against OpenSSL>=1.0.1 (Daniel Lowrey)
+  . Peer certificates now verified by default in client socket operations
+    (RFC: https://wiki.php.net/rfc/tls-peer-verification). (Daniel Lowrey)
 
 - PDO_pgsql:
   . Fixed Bug #42614 (PDO_pgsql: add pg_get_notify support). (Matteo)
diff --git a/UPGRADING b/UPGRADING
index e59a632918..6758615974 100755
--- a/UPGRADING
+++ b/UPGRADING
@@ -28,6 +28,17 @@ PHP X.Y UPGRADE NOTES
   containing non-lowercase values inside JSON arrays or objects has never been
   accepted.
 
+- openssl:
+  To prevent Man-in-the-Middle attacks against encrypted transfers client
+  streams now verify peer certificates by default. Previous versions
+  required users to manually enable peer verification. As a result of this
+  change, existing code using ssl:// or tls:// stream wrappers (e.g.
+  file_get_contents(), fsockopen(), stream_socket_client()) may no longer
+  connect successfully without manually disabling peer verification via the
+  stream context's "verify_peer" setting. Encrypted transfers delegate to
+  operating system certificate stores by default, so many/most users *should*
+  be unaffected by this transparent security enhancement.
+
 ========================================
 2. New Features
 ========================================