Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70760 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 85585 invoked from network); 19 Dec 2013 19:37:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Dec 2013 19:37:00 -0000 Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.177 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.223.177 mail-ie0-f177.google.com Received: from [209.85.223.177] ([209.85.223.177:40296] helo=mail-ie0-f177.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2E/E5-42949-BDA43B25 for ; Thu, 19 Dec 2013 14:37:00 -0500 Received: by mail-ie0-f177.google.com with SMTP id tp5so1955087ieb.22 for ; Thu, 19 Dec 2013 11:36:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Nz6u8yUeg8Bb2LXAbh+QMmgK3m7u7yanTRdTV0FuLvU=; b=NoPEoJO7E0riXfVRlUC39ZwaPUIvTn5NFTzh+mnr+4lFo/86PwCe/apNtSUEhNvAKz v94ANYPsGXkbUuRXbcn/xOPGrl8gbBMKfc4wyNHnmc2QBkrHZ0RIIq455zA7G7YwQzPa yeJ7NhBJZxH2edNXoytRAllc4WPzRM3Er9QUqJGO9BcBGIbPZvKAEDg+SOY/ZiDEIfN9 itcZGyBBv//EUFodQaJgYfFe1HW4TgeuQSeSVvBqk8AuC7vK7J5sG9/ygaaTXn6uxwqt JV6XtGWrbLEK3taVIaaojl7ipMxQZnmjtRIQb2klQ1azdPvRtdJhYiFyzqmtCjG3tLYs 0g3g== MIME-Version: 1.0 X-Received: by 10.50.134.99 with SMTP id pj3mr4493476igb.14.1387481817474; Thu, 19 Dec 2013 11:36:57 -0800 (PST) Received: by 10.50.208.105 with HTTP; Thu, 19 Dec 2013 11:36:57 -0800 (PST) In-Reply-To: <20131219192914.GA721@scalar.divbyzero.net> References: <20131219192914.GA721@scalar.divbyzero.net> Date: Thu, 19 Dec 2013 14:36:57 -0500 Message-ID: To: Martin Jansen Cc: Adam Harvey , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=047d7b41402edcebf804ede84865 Subject: Re: [PHP-DEV] Default https encryption wrapper From: rdlowrey@gmail.com (Daniel Lowrey) --047d7b41402edcebf804ede84865 Content-Type: text/plain; charset=ISO-8859-1 On Thu, Dec 19, 2013 at 2:29 PM, Martin Jansen wrote: > On Thu Dec 19, 2013 at 10:1042AM -0800, Adam Harvey wrote: > > On 19 December 2013 06:39, Daniel Lowrey wrote: > > > To me, this change is a necessary one. Most users should not notice the > > > change as TLSv1.0 is well established and supported by *virtually* all > > > servers. Default to the more secure protocols here would dovetail > nicely > > > alongside the other security enhancements in 5.6. > > > > I think we should do it. It will need to be documented clearly, and > > hopefully we can put a good error message on top of this for users who > > do run into problems with SSLv3-only servers, but I think the increase > > I agree with that. Part of the reasoning for my change to > stream_context_set_option() that Daniel mentions was to make it > possible to swap the default transport in the future while giving > people a way to go back to the old SSLv23 behaviour if they really > need it. > > - Martin > Yes, the in-context crypto method assignment is an extremely helpful addition. I failed to fully appreciate its importance at first but for what we're doing now (gently nudging people into the more secure protocols) it makes it possible to significantly improve security without breaking everything for the few stragglers still stuck with SSLv3. Kudos! --047d7b41402edcebf804ede84865--