Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130073 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 632791A00BC for ; Mon, 16 Feb 2026 19:37:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1771270647; bh=uHtRXV2eayET3zZIn5D9MyArDO9U+xT9VGecZ0ZLbWs=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=UtPS4LhGjVH3GaFMba9muxewVNNLmz4SpXc9OLl9R7LP/e6dC7j2LHDbSt4YD5o/w PdUHUfeLQHeIMKeJMptmf1a3XPzfdjtzb/zMyq69Q5muKmcm5PM+pDa5qPsfLL9AKj mwUO8nOu3xc1KC493dQcNC9fPICQJzxOAo/glV2Q9XGQYQzNjFeey1FPnRVWN6Jxow MAPN/MZfjEhtLHFe00QSWceW0T9TH3lzoUZm4lIyltyk3k7OlC2a3IpROo2UuVexpN jhUXH+DZbse2AaO78XzzH9siJaFK7Vx2aB6EhSUig+oHdzRDct8Bll0VL9K0rVRQjh jyBCAvgun/H/A== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 04E2C1801E2 for ; Mon, 16 Feb 2026 19:37:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.7 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50, DMARC_NONE,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 16 Feb 2026 19:37:23 +0000 (UTC) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-2a7a9b8ed69so34574155ad.2 for ; Mon, 16 Feb 2026 11:37:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1771270638; cv=none; d=google.com; s=arc-20240605; b=KDHTVfMyEUH/Kj+KTiT+oIjxL8EIh8/McdpIVCMSWaS/RUX7Yq0v585s3NERksSXUV BpXzwF9y6DzFJuclV3uzdO/lGJlDMtMJjr7oyTF3cVMLMgrqduU6uiGN35W156szAre5 zJDialoyzZL2lgTBnHmzxZT3PMrBoeLQvwyI8FiH+1t3IRYeYHyaI949lCCfxYEcN0CN Vvb0hcO9c7mKqHsnx6tMliDbV/LEjjmLwMIuKm+U6g/F5shRfoI6QuaIXvaLdrU0ksio HhJgDwuGlvQXPGypmzIFAB2SkCqwn4GCtUAjnYLwn0LL1h6oh621Hr53qpNL2MMBWxVy xxYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version; bh=dV5HUXDze6BpriOZQV75rrIgjsas16GP3FfbQ2boN84=; fh=OIQYSqgm3S/VOqj/Vwvm0I2g5KaG6SOxPPhCx0SNCh0=; b=eTCCCK17Z8nXDddtL/zmtJBaP69KwnXytt5rWzCmExE49YRvzDhgMmR8Prb9W1ROpH vNnli28PXWdEtlselXgBz3WkoYIct38AlkUB9TGF+R9RSCIo3qjZSFfNpammoB6o/bgH WcI1IJvmVZcACn0HRWpZ4otTGyd6Hxp94BYMBPnOg/f4DXIt/agkgEEOOercN3UuKnxx XRMc7UZrb5R3w+3AJT/iU5vuPV3sQxvXCpzgr3oEi2cgio6uqCQc9aO//WbwXf34dt88 FiBxlvtrpaTpkxSqbGniUIwy4GuDtAT1w+geJPbUGcAOz4uiZEfQQxk4l5MBoMdQegi2 9ynQ==; darn=lists.php.net ARC-Authentication-Results: i=1; mx.google.com; arc=none X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771270638; x=1771875438; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=dV5HUXDze6BpriOZQV75rrIgjsas16GP3FfbQ2boN84=; b=i2Yhc+2SsbHCwhkkzuUnH9e7R+TwC3upakaxUSk7Dp101iyRXQn6MBW9hQOsLiUtHk HUXXrz1X4vbWn08ss0d1Szjwn45HXuUzbsQfy4a/RVBRkcmymzA0j8a2B+9fZWHtCMSf idPCLwWyCVr9zW0Lumqaj2LhNqsjlrzCReyHA2AX6pS34kqdjA+mYRmI6pnEssmvBW5b rJtlIE9wyOB1htaGy0Q5lVsKbE0+fb1HFuvdSxDNt8e6Lp1mDvrJ9shbPPQP7jO8iOTS ZNN23XVOR2wdYYFQeO5CrxK3zaHzbSMbMSf1DxEnVExnvEW3kX2IITbclitZyYTRJ0WB SPgg== X-Gm-Message-State: AOJu0YyjuvPE6vPgJYdF1UXurNN8cd2ZWLKP+PLon7OnnSjCUjYvfrwr tMIPrZU1FhITCi1Q6s2C5CzVawZdqAC7JK5PfA9+fGVJL0sK94Bsc4G+Cmv7U7CTEnKWnQkF42K 2t/Ci1gkMk9/XsXqqSAGeWASyKXiAJ5jPPHZL X-Gm-Gg: AZuq6aJfchAzVYmpg4qsPVj4vqHYHEB+/doXqg9N41kfq4BggmoxJKUUd1x2wnlraXS 8yGsDFrRs/ys/tTBa1Y6EOWp6HpP4TFQ0/TlM4R8ZX/8JignD6iYmXmEMpFppP1vKFIDb6azT7Q lXw92WYDFjLrGieXMKJGTJ7jCr2PH/0nHKDBVeeCFftu5Ri/689Mj08niIJ0LqrYLhgrOsw/lSn FMvd5Jxoy64ggkdDYJwUTdGAak1DsoGs7Mq0427RymDB4Td0IPIr/x/uMwc2zYUScvlBbNuNabC zymdHUs= X-Received: by 2002:a05:6820:989:b0:677:8da:2866 with SMTP id 006d021491bc7-67768dc3900mr1272851eaf.40.1771010140140; Fri, 13 Feb 2026 11:15:40 -0800 (PST) Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: <0d53cf4c-dc42-41f9-cd71-14658988c511@php.net> In-Reply-To: <0d53cf4c-dc42-41f9-cd71-14658988c511@php.net> Date: Fri, 13 Feb 2026 20:15:28 +0100 X-Gm-Features: AaiRm53ecgeN6yFeF3YckjyK-GhdJhi3RiMgO-mw6uvryFh4ndnGxc1lKFR_oAw Message-ID: Subject: Re: [PHP-DEV] [RFC] TLS Session Resumption Support for Streams To: Derick Rethans Cc: PHP internals list Content-Type: multipart/alternative; boundary="0000000000004bfdba064ab96eb0" From: bukka@php.net (Jakub Zelenka) --0000000000004bfdba064ab96eb0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, On Mon, Jan 5, 2026 at 12:28=E2=80=AFPM Derick Rethans wro= te: > On Tue, 23 Dec 2025, Jakub Zelenka wrote: > > > I would like to introduce a TLS Session Resumption Support for Streams > > RFC that is part of my stream evolution work (PHP Foundation project > > funded by Sovereign Tech Fund) : > > > > https://wiki.php.net/rfc/tls_session_resumption_api > > I have just done a significant update (version 0.2 of RFC) that introduces OpenSSLSession class and re-implementation of the SSL_CTX creation (mainly for server) and some other changes. > I have a few questions/comments: > > | Client-Only Options: > | > | session_data (string) - Binary session data from a previous connection > | to resume. Data must be from a session_new_cb callback. > ... > | session_new_cb (callable) - Callback invoked when a new session is > | established. > | ... > | - $sessionData: Serialized session (OpenSSL format via > | i2d_SSL_SESSION) > > 1. Would it be possible to ensure this data is from the callback? > > Yes, I introduced OpenSSLSession which represent the actual session so sessionData can be only instance of this class. > 2. I am asking mostly whether we think it is wise that this internal > openssl data is exposed to the user, for which this is mainly an opaque > blob of data =E2=80=94 or in other words, an implementation detail of *Op= enSSL*. > > It was ASN.1 DER representation but I agree that using object is better which I introduced in the update. It also allows serialization / deserialization (import / export) from DER and PEM. Just a note that constant (not enum) is used because that constant already exist and it's used in other function so adding enum would be out of scope and inconsistent here (please don't ask for it :) ). > | Client Behavior > | ... > | 3. Server-only options (''session_get_cb'', ''session_remove_cb'', > | ''session_cache'', ''num_tickets'', etc.) are ignored > > I don't think it is wise to *ignore* these, and I would prefer an error > situation to be caused by supplying options that have no effect. > > There is now error thrown for some illogical combination that can be checked easily. Unknown stream options are always ignored but I agree that in some cases it could be confusing so throwing ValueError there. > | Server Behaviour > | ... > | With External Cache (session_get_cb provided): > | - session_new_cb becomes required (E_WARNING if missing) > | - session_context_id becomes required (E_WARNING if missing) > > If is is required, it shouldn't be a warning as it is a programming > error for which an Error-type exception ought to be thrown. On many > occasions warnings appear in a logging black hole. > > This has been changed to exceptions > | - session_cache_size and session_timeout are ignored (application > | manages storage) > > For similar reasons, I don't think these should be just ignored either > (again: it's a programming error). > As I noted all unknown stream options are ignored. This has been always the case. This would require redesign of stream option and big BC break to change it. I removed this note from RFC because it's just how things work there. I also addressed some missing cases that now throws but can't really go any further as it would make things inconsistent with the rest of the code. > | Backward Incompatible Changes > | ... > | - New options are ignored in older PHP versions (standard stream > | context behavior) > > That's not a Backward Compatibility issue, but a *Forward Compatibility* > issue. > > I removed that note. > | Potential Considerations: > | ... > | - The new callbacks use resources passed as parameters - these must > | not be stored beyond the callback scope (documented limitation) > > Would it be possible to do this *without* introducing new > resources/resource types? > > This was meant for provided stream but it can be actually used so I removed it. Cheers Jakub --0000000000004bfdba064ab96eb0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

On Mon, Jan 5, 2026 at 12:28= =E2=80=AFPM Derick Rethans <derick@php= .net> wrote:
On Tue, 23 Dec 2025, Jakub Zelenka wrote:

> I would like to introduce a TLS Session Resumption Support for Streams=
> RFC that is part of my stream evolution work (PHP Foundation project <= br> > funded by Sovereign Tech Fund) :
>
> https://wiki.php.net/rfc/tls_session_resumpt= ion_api


I have just done a significant update = (version 0.2 of RFC) that introduces OpenSSLSession class and re-implementa= tion of the SSL_CTX creation (mainly for server) and some other changes.
=C2=A0
I have a few questions/comments:

| Client-Only Options:
|
| session_data (string) - Binary session data from a previous connection | to resume. Data must be from a session_new_cb callback.
...
| session_new_cb (callable) - Callback invoked when a new session is
| established.
| ...
| - $sessionData: Serialized session (OpenSSL format via
|=C2=A0 =C2=A0i2d_SSL_SESSION)

1. Would it be possible to ensure this data is from the callback?


Yes, I introduced=C2=A0OpenSSLSession = which represent the actual session so sessionData can be only instance of t= his class.
=C2=A0
2. I am asking mostly whether we think it is wise that this internal
openssl data is exposed to the user, for which this is mainly an opaque blob of data=C2=A0=E2=80=94 or in other words, an implementation detail of = *OpenSSL*.


It was ASN.1 DER representation but I = agree that using object is better which I introduced in the update. It also= allows serialization / deserialization (import / export) from DER=C2=A0 an= d PEM.

Just a note that constant (not enum) is use= d because that constant already exist and it's used in other function s= o adding enum would be out of scope and inconsistent here (please don't= ask for it :) ).
=C2=A0
| Client Behavior
| ...
| 3. Server-only options (''session_get_cb'', ''ses= sion_remove_cb'',
| ''session_cache'', ''num_tickets'', etc.)= are ignored

I don't think it is wise to *ignore* these, and I would prefer an error=
situation to be caused by supplying options that have no effect.


There is now error thrown for some ill= ogical combination that can be checked easily. Unknown stream options are a= lways ignored but I agree that in some cases it could be confusing so throw= ing ValueError there.
=C2=A0
| Server Behaviour
| ...
| With External Cache (session_get_cb provided):
| - session_new_cb becomes required (E_WARNING if missing)
| - session_context_id becomes required (E_WARNING if missing)

If is is required, it shouldn't be a warning as it is a programming error for which an Error-type exception ought to be thrown. On many
occasions warnings appear in a logging black hole.


This has been changed to exceptions
=C2=A0
| - session_cache_size and session_timeout are ignored (application
| manages storage)

For similar reasons, I don't think these should be just ignored either =
(again: it's a programming error).

= As I noted all unknown stream options are ignored. This has been always the= case. This would require redesign of stream option and big BC break to cha= nge it. I removed this note from RFC because it's just how things work = there. I also addressed some missing cases that now throws but can't re= ally go any further as it would make things inconsistent with the rest of t= he code.
=C2=A0
| Backward Incompatible Changes
| ...
| - New options are ignored in older PHP versions (standard stream
|=C2=A0 =C2=A0context behavior)

That's not a Backward Compatibility issue, but a *Forward Compatibility= *
issue.


I removed that note.
=C2=A0<= /div>
| Potential Considerations:
| ...
| - The new callbacks use resources passed as parameters - these must
|=C2=A0 =C2=A0not be stored beyond the callback scope (documented limitatio= n)

Would it be possible to do this *without* introducing new
resources/resource types?


This was = meant for provided stream but it can be actually used so I removed it.

Cheers

Jakub=C2=A0
--0000000000004bfdba064ab96eb0--