Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129734 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id DA4C41A00BC for ; Mon, 5 Jan 2026 11:28:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1767612488; bh=9zegE5+TAFuabCKMP+tHYxQiGzzZPFVecY0IRqG9AX4=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=AGj+3C3r5jPa5e9Hn+imvnJEA1CtmffVv0oh+3q0Sfrn1G+vkkuCE/IPt89XvKimG +zl88Z6tNOTWDOV/NtrygqMj64r91CR9n4b4YQ8ihrn06iiyyIXkHBJgzYx56p4Aje aeFlkjqGPJ7nIrnJpD6vMA1uMyassTCCDOaEEOIUbXTvNwe5CrGMKqrtiswrQla0Tp 8nRmeBCVYvQUa5iE3YKTVFp7bDcTrnTI6BSKb601P9czlcxGPJA76WbHMn1wUz0nIZ eoWDEY1vjAV5vnk8v3LsRa/r3/eirAFiclJcqk7bIAtED/FoDNEosroIDpVxVtsiGo VL9AC/WTfK3bA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id BF46A180053 for ; Mon, 5 Jan 2026 11:28:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: *** X-Spam-Status: No, score=3.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail.xdebug.org (mail.xdebug.org [176.126.244.128]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 5 Jan 2026 11:28:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1767612481; bh=9zegE5+TAFuabCKMP+tHYxQiGzzZPFVecY0IRqG9AX4=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=SJz7+9Q3+HflFGonM5Nx66HBiqMUMrFIS95DzhXcRZPPnWRd4H53LrZ+8T/0qCRpx pMZ91Die6NZk7z2B21S3hCdpaj6ngb21uysboNq0MU2olCc6L98bqW+UmbcXJh4MIW gkAZU3DX2kWWRj0N+Ls5kEHEyOEiB+yHVCjXfF5fJ3Li5TxOverDcu7OfDf3eVh2wp gfpbezMZfSZd8MtIji4YbzVKCL09B5KQ4yXO4SnFYuEABkBt4fTPuBtaNY1TPg173M XyeSs5o15fqYmkzb8oOzxL+xA0XNkncSOA7V5FJ+y+J3V6tsjriQSimrv3draNMRcd TjnIqGOHCVmsA== Received: from localhost (localhost [IPv6:::1]) by mail.xdebug.org (Postfix) with ESMTPS id 453BF20F0C; Mon, 05 Jan 2026 11:28:01 +0000 (UTC) Date: Mon, 5 Jan 2026 11:28:01 +0000 (GMT) To: Jakub Zelenka cc: PHP internals list Subject: Re: [PHP-DEV] [RFC] TLS Session Resumption Support for Streams In-Reply-To: Message-ID: <0d53cf4c-dc42-41f9-cd71-14658988c511@php.net> References: Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="8323329-1018591978-1767612481=:13281" From: derick@php.net (Derick Rethans) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --8323329-1018591978-1767612481=:13281 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE On Tue, 23 Dec 2025, Jakub Zelenka wrote: > I would like to introduce a TLS Session Resumption Support for Streams=20 > RFC that is part of my stream evolution work (PHP Foundation project=20 > funded by Sovereign Tech Fund) : >=20 > https://wiki.php.net/rfc/tls_session_resumption_api I have a few questions/comments: | Client-Only Options: |=20 | session_data (string) - Binary session data from a previous connection=20 | to resume. Data must be from a session_new_cb callback. =2E.. | session_new_cb (callable) - Callback invoked when a new session is | established. | ... | - $sessionData: Serialized session (OpenSSL format via=20 | i2d_SSL_SESSION) 1. Would it be possible to ensure this data is from the callback? 2. I am asking mostly whether we think it is wise that this internal=20 openssl data is exposed to the user, for which this is mainly an opaque=20 blob of data=C2=A0=E2=80=94 or in other words, an implementation detail of = *OpenSSL*. | Client Behavior | ... | 3. Server-only options (''session_get_cb'', ''session_remove_cb'', | ''session_cache'', ''num_tickets'', etc.) are ignored I don't think it is wise to *ignore* these, and I would prefer an error=20 situation to be caused by supplying options that have no effect. | Server Behaviour | ... | With External Cache (session_get_cb provided):=20 | - session_new_cb becomes required (E_WARNING if missing) | - session_context_id becomes required (E_WARNING if missing) If is is required, it shouldn't be a warning as it is a programming=20 error for which an Error-type exception ought to be thrown. On many=20 occasions warnings appear in a logging black hole. | - session_cache_size and session_timeout are ignored (application=20 | manages storage) For similar reasons, I don't think these should be just ignored either=20 (again: it's a programming error). | Backward Incompatible Changes | ... | - New options are ignored in older PHP versions (standard stream=20 | context behavior) That's not a Backward Compatibility issue, but a *Forward Compatibility*=20 issue.=20 | Potential Considerations:=20 | ... | - The new callbacks use resources passed as parameters - these must=20 | not be stored beyond the callback scope (documented limitation) Would it be possible to do this *without* introducing new=20 resources/resource types? cheers, Derick --=20 https://derickrethans.nl | https://xdebug.org | https://dram.io Author of Xdebug. Like it? Consider supporting me: https://xdebug.org/suppo= rt mastodon: @derickr@phpc.social @xdebug@phpc.social --8323329-1018591978-1767612481=:13281--