Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:101121 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 14012 invoked from network); 11 Nov 2017 09:46:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Nov 2017 09:46:10 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.217 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.217 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.217] ([81.169.146.217:28973] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 50/F5-15386-1E6C60A5 for ; Sat, 11 Nov 2017 04:46:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1510393565; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To: MIME-Version; bh=0akyq0cgKmhO8SFyqeogRpm9is4uEs/xO9pn+qHkRF8=; b=Ra3xq7j1npwJmgtAJLndbAiRs8LH0H49Q9dB67Uk0luHdrxZq8IP56XeFF/NLL37VL o1x/vad9xrswwVd02VPdjCyG927qObOAoD73wTcCiGYVyBLOD9UI4ez2nzHy6lAs0rJp TN+iAec3+JsVfaaIT5Xvq/GvXucOEeiFmOxEI= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mlsGbEv0XHBzMIJSS+jKTzde5mDb8Db2nURiuzcA== X-RZG-CLASS-ID: mo00 Received: by mail-yw0-f174.google.com with SMTP id k191so1587177ywe.1 for ; Sat, 11 Nov 2017 01:46:05 -0800 (PST) X-Gm-Message-State: AJaThX5u3UqiOQ8BDBUjl7Ae7UwToZBS76piKzUa0Vd7c/vfMSmikHtD ll6xypU50G7E3ZpslyKMiYKDNHyfoynG7vRLxyQ= X-Google-Smtp-Source: AGs4zMa7iiFBxxQ1HnERyn8+VeMtTJeEvV1NQ9LfYrZ0uqvxP0j2gegF6RJSqynfJ+cjcBbo3YYMGOTLAA1yN7iDWPY= X-Received: by 10.129.163.67 with SMTP id a64mr2001022ywh.441.1510393564805; Sat, 11 Nov 2017 01:46:04 -0800 (PST) MIME-Version: 1.0 Received: by 10.37.191.130 with HTTP; Sat, 11 Nov 2017 01:46:04 -0800 (PST) In-Reply-To: References: Date: Sat, 11 Nov 2017 10:46:04 +0100 X-Gmail-Original-Message-ID: Message-ID: To: Jakub Zelenka Cc: Anatol Belski , Sara Golemon , PHP Internals Content-Type: multipart/alternative; boundary="94eb2c129b22e6c2ba055db1e708" Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates From: me@kelunik.com (Niklas Keller) --94eb2c129b22e6c2ba055db1e708 Content-Type: text/plain; charset="UTF-8" > > I just pushed support for security_level [1] which is more comprehensive > and the patch is also very simple. > > Apology for such last minute addition but I felt that it is really useful > for 7.2 and I have already messaged about that and haven't heard any > objections. Of course if anyone feels strongly against it, I will be happy > to reconsider it. > Unfortunately I forgot about it, but it defaults to 0, which is equivalent to prior OpenSSL versions. I guess it might make sense for consistency, but we probably want to raise it to at least "1" in PHP 7.3 or maybe even "2". OpenSSL's man page explicitly recommends against setting it higher than "1", but only because of SHA-1, which should be phased out by now. Regards, Niklas --94eb2c129b22e6c2ba055db1e708--