Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:70754
Return-Path: <adam@adamharvey.name>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 73384 invoked from network); 19 Dec 2013 18:11:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Dec 2013 18:11:08 -0000
Authentication-Results: pb1.pair.com header.from=adam@adamharvey.name; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=adam@adamharvey.name; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain adamharvey.name designates 209.85.219.42 as permitted sender)
X-PHP-List-Original-Sender: adam@adamharvey.name
X-Host-Fingerprint: 209.85.219.42 mail-oa0-f42.google.com  
Received: from [209.85.219.42] ([209.85.219.42:53597] helo=mail-oa0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B1/93-42949-AB633B25 for <internals@lists.php.net>; Thu, 19 Dec 2013 13:11:07 -0500
Received: by mail-oa0-f42.google.com with SMTP id i4so1640502oah.1
        for <internals@lists.php.net>; Thu, 19 Dec 2013 10:11:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=adamharvey.name; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type:content-transfer-encoding;
        bh=IoJyLiQQqC6ckZ4ruDEBCxYBNdBwaIaKblOUbT+22aM=;
        b=CnuJ2/q3gDIWM5MmyTEQMkYEbzjvWnTHqFcvfhu70WmGmvgwlZfJiXzcxORmMZDnhO
         MYPUEl7BMVFVBkjQUXZitpq0YGbkqwA5npxDDxw7zX53tMPceWzA8rWve6/IsstXlyW2
         y3dqJ9yHzYtV/5AaO5mjWuZhRcG+v9FislCTM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-type
         :content-transfer-encoding;
        bh=IoJyLiQQqC6ckZ4ruDEBCxYBNdBwaIaKblOUbT+22aM=;
        b=DQ23aW1HrGPF/4dbQexw79Eb8w0mALE7hwRox6/YjoCh6plZYXYFTcA0uZY1r/ovr7
         o+CPGbWnqr+BynfnjCclsct86eaC6FqpGlJox7Wvsx5WTAb+FEEqlabwm3jRnSstfXey
         K49wi23H36cgLAKA6e0N2HyHv/cLmdoJd6btq4lH6LSk7T4ecZwPuMhk1CivNfi4US8x
         4zJcQpz/d9l2zj0+qA7lBrcDbWYCTRh/KTibGMjJULWKKGOsWVAI2OYlh14onWbMQF1q
         3bkkMLOX3+QWZWsvwBcOKQUsblY9SS6U0zQdNgvyIv5fA0YMpYDmPLL6H+12gYz+oO7w
         /Bjg==
X-Gm-Message-State: ALoCoQnIfQ6YPhbR/kK5bmeHtCi2fzVXZwiDbx6IWnbmOHg8f2vserxcil37pkbcjJmf1YrpWzos
X-Received: by 10.60.93.67 with SMTP id cs3mr2425693oeb.12.1387476663608; Thu,
 19 Dec 2013 10:11:03 -0800 (PST)
MIME-Version: 1.0
Sender: adam@adamharvey.name
Received: by 10.76.82.100 with HTTP; Thu, 19 Dec 2013 10:10:42 -0800 (PST)
In-Reply-To: <CAH8MpnkecZ5eEPBpkmn+qTr8GcbRy3o3nDJYcSe4DFEM3-nj9A@mail.gmail.com>
References: <CAH8MpnkecZ5eEPBpkmn+qTr8GcbRy3o3nDJYcSe4DFEM3-nj9A@mail.gmail.com>
Date: Thu, 19 Dec 2013 10:10:42 -0800
X-Google-Sender-Auth: YYoZwF9E56CgZGe7TQFOYt5ezJA
Message-ID: <CADajX4CqPKH3Aogok658+LJVV2jN7DCB_GTX9g2WwrqEvKAEGw@mail.gmail.com>
To: Daniel Lowrey <rdlowrey@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Default https encryption wrapper
From: aharvey@php.net (Adam Harvey)

On 19 December 2013 06:39, Daniel Lowrey <rdlowrey@gmail.com> wrote:
> - SSL v2 is insecure and must not be used.

On the bright side, pretty much every browser no longer enables SSLv2
support, so that one's definitely safe to remove.

> To me, this change is a necessary one. Most users should not notice the
> change as TLSv1.0 is well established and supported by *virtually* all
> servers. Default to the more secure protocols here would dovetail nicely
> alongside the other security enhancements in 5.6.

I agree with all of the above, but wanted to track down some rough
numbers to figure out if we'd be causing significant pain by no longer
supporting SSLv3 by default in https:// URLs. I found a couple of
surveys:

1. http://blog.ivanristic.com/2011/09/ssl-survey-protocol-support.html
=E2=80=94 from September 2011, surveying 298604 sites from Alexa's top
million. 5315 (1.8%) of those servers two years ago had no support for
TLS. That alone might have been enough to sway me, but then I found:

2. https://www.trustworthyinternet.org/ssl-pulse/ =E2=80=94 from 2=C2=BD we=
eks ago,
indicating that 0.7% of the ~200k surveyed sites have no support for
TLS.

Every remotely supported Linux distro ships a version of OpenSSL that
supports at least TLS 1.0 (yes, even RHEL 4), so I don't see that as
an impediment.

> Thoughts?

I think we should do it. It will need to be documented clearly, and
hopefully we can put a good error message on top of this for users who
do run into problems with SSLv3-only servers, but I think the increase
in security is worthwhile, just as I did for the peer verification
work.

Great work, Daniel!

Thanks,

Adam