Christopher Kunz has relaunched his php-security.net domain with a brand new blog and a new article posted today - "X.509 PKI login with PHP and Apache".

Since grid computing (that's what I'm currently doing) also is very much about Single-sign on and delegation of rights, username/password authentication schemes don't quite do it for us. Thus, a PKI (public key infrastructure) based on X.509 is employed.

He explains the acronym soup by defining the process as advanced means of "showing the web who you are". He explains some of the basics about the certificates and who good candidates for this type of authentication are. Then the tech starts - how to get Apache configured to use them and how to use them in PHP to authenticate the external user (requiring OpenSSL compiled in to access the needed functions).

Antony Dovgal points out that Derick Rethans has added the snapshots for PHP 5.3 to the snaps.php.net website.

Short list of what you can find there: Namespaces, __callstatic() magic method, accessing static members through $foo::myFunc(), fully rewritten ini-parser with .htaccess-like user defined ini files for CGI/FastCGI, improved OpenSSL extension, PCRE 7.4, and other fixes and improvements that will never get into 5_2 branch.

He recommends teching throughly before the major release to find all of the bug before the general public does. Builds for both source and Windows systems have been posted.

Harry Fuecks came across a need in his development work to bridge a gap between a PHP script and some Java work he'd done. He found the way that fit his situation the best - the encryption of the data on the PHP side via OpenSSL.

Needed a mechanism to be able to pass chunks of data securely from PHP to Java [...] One solution might be something "from scratch" involving mcrypt or PHP libraries like Crypt_RSA. [...] Another approach is GnuPG, either via the command line as discussed in this tutorial or via the GnuPG extension from PECL.

Option 3 is using OpenSSL and PHP's openssl_seal() function. SSL is normally used for encrypting networked communication between peers but that's not all it can do. [...] What's more - and perhaps the biggest win - it also allows us to re-use existing SSL certificates.

He uses the openssl_seal functionality on top of the EVP encrypted envelope on the certificate to handle the encrypt/decrypt of the data. Both the PHP code and Java code (and execution example) are included in the post.

In a new blog entry, Christopher Kunz talks about an issue he had when upgrading his MySQL version to 5.0.22 and recompiling with PHP.

I ended up with the following error at make install: PHP Fatal error: Unable to start curl module in Unknown on line 0

Finding that it was a MySQL issue, he set about trying to find the issue (turned out to be a badly linked SSL library on MySQL's part). This issue is only in the MySQL binaries, though, so if you come across it you'll just need to compile MySQL by hand first, then compile PHP against it.

Wez Furlong, a proponent of the OpenID authentication system, has posted a new tutorial of sorts that details a script for communication between your application and the OpenID servers.

I have a patch (php-openid.diff, for PHP 5, might also apply to PHP 4) for the openssl extension that makes it easier to build OpenID and TypeKey authentication support into your PHP apps. I don't have a canned solution for you to deploy, but I can give you some pointers on how to use these bits. I'm assuming that you know a bit about how OpenID works.

It's broken up into three sections - a look at associating with an OpenID server, performing the actual authentication (including the code for the page they're redirected back to), and an example of using the same functionality to interface with TypeKey.

The Zend Developer Zone has posted both the Zend Weekly Summaries issues #323 and #324.

In #323, there's talk of OpenSSL integration, a CVS server change, and several PHP security discussions (a suggested read).

Issue #324 talks about runtime JIT proposals, debugging overloaded objects, more on PHP security, the release of PHP 5.2.1 RC3, and more "fine grained" control over allow_url_*

Be sure to keep up with the latest mailing list and community happenings through these great updates from Steph Fox.

The latest weekly summary for the PHP mailing lists has been posted over on the Zend Developer Zone. This week, discussions included:

• Sandboxed semaphores
• Focus on *printf [continued]
• PHP 5.2.1 RC2 and PHP 4.4.5 RC1
• It's all in the HEAD

Descriptions of each of the headings are provided, including code and a "short version" for those on the run.

Be sure to check back each week for a new summary.

In his latest post, Wez Furlong shares some of the updates he's made to his blog - specifically when it comes to the external user authentication system he's implemented.

Why do I have an external authentication mechanism? I don't want to maintain a user database just for my blog. It's more moving parts and requires things like sending email pings to random email addresses and mechanisms for resetting or retrieving a forgotten password. Not to mention that it's yet another username/password to be remembered by the person doing the commenting.

So, instead, he authenticates against the php.net cvs setup for any and all users of his site. He transitions from this over to the main point of the post - his thoughts on authentication, specifically the move towards a more centralized resource to bounce the user's information off of. He mentions TypeKey and OpenID as two technologies that are moving in the right direction.

Bringing it back to PHP, Wez notes that the PHP support for both of these technologies is very lacking, but he's been working on a patch for the openssl extension that could help that significantly.

On his blog today, Christopher Kunz quickly mentions a problem that he came across when trying to install MySQL 5.0.22 with PHP 4.4.2 and cURL support. There was an unexpected result - an "Unknown" cURL error.

It seems that this is indeed a MySQL issue and there is a PHP bug (bogused) as well as a MySQL bug report for the problem. There's also a blog entry by Ilia that details a possible solution. Basically, MySQL saw it fit to link their binary distribution not against OpenSSL (which is probably available on near 100% of unixoid hosts out there), but YaSSL - of which I personally never even heard.

Apparently, the issue comes from the clashing of function names inside the packages, making for a world of troubles. For a solution, check out Ilia's blog post mentioned before.