Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:101233 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 68443 invoked from network); 4 Dec 2017 21:36:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Dec 2017 21:36:08 -0000 Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.179 as permitted sender) X-PHP-List-Original-Sender: jakub.php@gmail.com X-Host-Fingerprint: 209.85.161.179 mail-yw0-f179.google.com Received: from [209.85.161.179] ([209.85.161.179:37354] helo=mail-yw0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D6/84-28358-6CFB52A5 for ; Mon, 04 Dec 2017 16:36:07 -0500 Received: by mail-yw0-f179.google.com with SMTP id v190so203743ywg.4 for ; Mon, 04 Dec 2017 13:36:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=6mtUDs3usjVQzVBVgPjqH4ZPYa2mvjKEkQtIYkGkKlc=; b=CO89mq92BAYgZsVu9UwrpWOV2x9cxP5Ro/xaIK3hSTWJEL3OLUoYDiW1FSBpJYPZ2Q FWevUyCD/0lLNMAFUIxjebCd0lHPy0JOsVrB3Gq7qO3IeGSRBl/Rl75Ku1RQdQkTeTH8 YLNhWmSU2KIdNwrz88C/xsUvHgSAk4IoidNb5wGjtJPXTC4zWpQlBcUTJ+qnw8qX66Ei efCdFMNiUn0+JjdjKgzuqDje8l1cNkzkvYutPTq0CW+yXIeclhUtEop+1O/WWxnutInD Zv3ZVeHmArDoc1NFFRENFIrfBfhw/Lg2rjWyyH45gNTuc7jLfELTS3PX8czirZzBrCFb LSNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=6mtUDs3usjVQzVBVgPjqH4ZPYa2mvjKEkQtIYkGkKlc=; b=d9iupWJNSy0veEStGiF/HV6XcxO0HiQTYMNO6CbjVlsUWGpUM68b+071CROONVFfUZ HiKr6afs6S7ibvCrQnsWjveGgEZk9L+SUunYrg/iW4qD7TkI74pb9/BAMwCW27ROwY35 bL28cYQhPZHo+JaW4Gzp4mwQgdKRZbI4szLKTNNGu3XGZ0lsSBr34jgCuf3JoYacFykK bl0zLxMPfWkzo+mYKYlxcyRgBSmV7rUuEEqhaKVgSS406g/kqjfDOBbHw2amI9JHegGA tP+8pfbMrVVATFlIvxBbqJklqLdfp/aLWMyfE5no48vvzIjChP98JNfCarcSmWyod7tO 2VvA== X-Gm-Message-State: AJaThX6Fj0uvaNRqs1wMuYj8Ksywd4ey9hw2GpYC4IOKN+rEp847xiIj QKokugReDGTJGG8XF4+oUUCQJPHYgfGLLIwoGHQ= X-Google-Smtp-Source: AGs4zMbg/zW0f+DqPjbyJR4tO3PxaNNW2MzOso2ghBquMzyWLLQdQGICYXxmnHQGwd2yk9aInPSVpwIf9dDDfuaRWYI= X-Received: by 10.129.99.137 with SMTP id x131mr11234667ywb.507.1512423364568; Mon, 04 Dec 2017 13:36:04 -0800 (PST) MIME-Version: 1.0 Sender: jakub.php@gmail.com Received: by 10.129.114.130 with HTTP; Mon, 4 Dec 2017 13:36:04 -0800 (PST) In-Reply-To: References: <41630a4e-8772-bdfb-e859-831a36dc67ea@rhsoft.net> <9f3d28e1-cc6d-d5dc-da04-7e3791070be8@rhsoft.net> Date: Mon, 4 Dec 2017 21:36:04 +0000 X-Google-Sender-Auth: PPEveDU9Qu5-DHRoMdlWx2m9wI0 Message-ID: To: Sara Golemon Cc: "lists@rhsoft.net" , PHP Internals Content-Type: multipart/alternative; boundary="001a11491540652964055f8a810c" Subject: Re: [PHP-DEV] PHP 7.2.0 Released From: bukka@php.net (Jakub Zelenka) --001a11491540652964055f8a810c Content-Type: text/plain; charset="UTF-8" On Mon, Dec 4, 2017 at 5:36 PM, Sara Golemon wrote: > On Fri, Dec 1, 2017 at 6:35 PM, lists@rhsoft.net wrote: > > the main question is why does PHP need to to *anything* here instead hand > > the TLS handshake completly over to openssl? in that case even PHP5 could > > perfer TLS1.2 ciphers against a sevrer that orders them on top without > touch > > any line of PHP's code > > > Because the SSL API in OpenSSL that PHP uses doesn't let you say: > "Just give me the best method you can". > > SSL_CTX *SSL_CTX_new(const SSL_METHOD *method); > const SSL_METHOD *SSLv23_method(void); > const SSL_METHOD *SSLv23_server_method(void); > const SSL_METHOD *SSLv23_client_method(void); > const SSL_METHOD *TLSv1_2_method(void); > const SSL_METHOD *TLSv1_2_server_method(void); > const SSL_METHOD *TLSv1_2_client_method(void); > const SSL_METHOD *TLSv1_1_method(void); > const SSL_METHOD *TLSv1_1_server_method(void); > const SSL_METHOD *TLSv1_1_client_method(void); > const SSL_METHOD *TLSv1_method(void); > const SSL_METHOD *TLSv1_server_method(void); > const SSL_METHOD *TLSv1_client_method(void); > #ifndef OPENSSL_NO_SSL3_METHOD > const SSL_METHOD *SSLv3_method(void); > const SSL_METHOD *SSLv3_server_method(void); > const SSL_METHOD *SSLv3_client_method(void); > #endif > #ifndef OPENSSL_NO_SSL2 > const SSL_METHOD *SSLv2_method(void); > const SSL_METHOD *SSLv2_server_method(void); > const SSL_METHOD *SSLv2_client_method(void); > #endif > > There may be another SSL API that does, but that's more than just "set > the value to any and be done with it". > Yep there is SSL_CTX_set_min_proto_version and SSL_CTX_set_max_proto_version in OpenSSL 1.1.0+ which is the preferred way how to set the protocol. The version specific method are all now deprecated and should not be used. I have got it on my TODO list so hopefully will find time to implement it. It would be ideal to just introduce min and max protocol version context options for tls and possibly ssl (which is tls alias now) streams. It is of course backportable to 1.0.1 and 1.0.2 using SSL_OP_NO_* which is how it is basically working now but for 1.1.0+ it will use more flexible min and max. I think it would also make sense to deprecate tlsv* and sslv* streams but don't feel so strongly about it. The c part implementation is not too difficult but we should probably improve and extend the version tests (that are really slow atm.) so it might take a bit. Anyway I really hope to have it in 7.3. Cheers Jakub --001a11491540652964055f8a810c--