Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70752 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 59120 invoked from network); 19 Dec 2013 14:39:21 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Dec 2013 14:39:21 -0000 Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.171 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.223.171 mail-ie0-f171.google.com Received: from [209.85.223.171] ([209.85.223.171:48436] helo=mail-ie0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4F/D1-42949-81503B25 for ; Thu, 19 Dec 2013 09:39:20 -0500 Received: by mail-ie0-f171.google.com with SMTP id ar20so1405014iec.16 for ; Thu, 19 Dec 2013 06:39:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=XrmWl3pyoRrk0AUl8OspPqq5Wo1ZkD+xl5H4Y4NJvy0=; b=0QvU/AKvmKpUB1IVsTH9wSKFf9x9woJDXPm0ToNKPQhi8+5pIcCros/qcVxm+9PSJQ 7lO+nTvW+MNVohYDC3SsVez31M0+GpG3Q4fkUGw33OHWh4QnqztFvtyt1U2fr4aPKnZQ nMOJlStzv33/51rfVONtbgzJpYaZgAfhNmcUg/jZqr/W/l1JMga4fuU/3gKWpRyFsdRm vCtSZaHexxwrokOBX8zeaGOh7/i+EBD/Wm/lf4DZFuj8jryD8GDMw1XAN80E2Dh2oZMY vCnKvsColPExmfOSbhm2x4gsl1r8yx2fxcZQe4lJaFEWZNWYsgnwEc5/yYXLhaFOkdqX 2nqA== MIME-Version: 1.0 X-Received: by 10.42.67.74 with SMTP id s10mr1247441ici.1.1387463957930; Thu, 19 Dec 2013 06:39:17 -0800 (PST) Received: by 10.50.208.105 with HTTP; Thu, 19 Dec 2013 06:39:17 -0800 (PST) Date: Thu, 19 Dec 2013 09:39:17 -0500 Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=485b397dd25959e92204ede420bf Subject: Default https encryption wrapper From: rdlowrey@gmail.com (Daniel Lowrey) --485b397dd25959e92204ede420bf Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I'd like to gauge support for another update in the spirit of the openssl changes scheduled for 5.6. Currently the http fopen wrapper defaults to the ssl:// scheme when retrieving an https:// resource as seen here: http://lxr.php.net/xref/PHP_5_6/ext/standard/http_fopen_wrapper.c#196 What this means to the underlying openssl lib is that the SSLv23 crypto method is used for handshake negotiation. The SSLv23 handshake method provides compatibility for SSL2, SSL3 and TLS1.0 protocols. Citing the "SSL/TLS Deployment Best Practices" report linked at the end of this message: - SSL v2 is insecure and must not be used. - SSL v3 is very old and obsolete. Because it lacks some key features and because virtually all clients support TLS 1.0 and better, you should not support SSL v3 unless you have a very good reason. - TLS v1.0 is largely still secure; we do not know of major security =EF=AC= =82aws when they are used for protocols other than HTTP. When used with HTTP, it can almost be made secure with careful con=EF=AC=81guration. - TLS v1.1 and v1.2 are without known security issues. While this allows more transfers to succeed in the wild it's also insecure. I personally don't believe it's a good idea to enable the use of SSL2 and SSL3 by default. Instead, I think the http fopen wrapper should use the tls:// scheme and send the TLS1.0 handshake by default. Will this cause some transfers that worked previously to fail? Yes. However, potential breakage when requesting resources from servers still using the (very) outdated protocols can be eliminated because as of 5.6 encrypted stream transports can be configured to use a specific crypto method (see link in references section) via the stream context at call time, e.g.: // Override the default with a specific protocol for this call $context =3D stream_context_create(['ssl' =3D> [ "crypto_method" =3D> STREAM_CRYPTO_METHOD_SSLv3_CLIENT ]]); file_get_contents('https://somesite', FALSE, $context); To me, this change is a necessary one. Most users should not notice the change as TLSv1.0 is well established and supported by *virtually* all servers. Default to the more secure protocols here would dovetail nicely alongside the other security enhancements in 5.6. Thoughts? -- References -- SSL/TLS Deployment Best Practices: https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf Encrypted stream transports can now be configured in the stream context: https://github.com/php/php-src/commit/ce2789558a970057539094ca9019d98ff09e8= 31e --485b397dd25959e92204ede420bf--