Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71903
Return-Path: <rdlowrey@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71359 invoked from network); 31 Jan 2014 22:08:30 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 Jan 2014 22:08:30 -0000
Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.171 as permitted sender)
X-PHP-List-Original-Sender: rdlowrey@gmail.com
X-Host-Fingerprint: 209.85.223.171 mail-ie0-f171.google.com  
Received: from [209.85.223.171] ([209.85.223.171:50466] helo=mail-ie0-f171.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D0/C3-54292-DDE1CE25 for <internals@lists.php.net>; Fri, 31 Jan 2014 17:08:29 -0500
Received: by mail-ie0-f171.google.com with SMTP id as1so4904806iec.16
        for <internals@lists.php.net>; Fri, 31 Jan 2014 14:08:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=W+YaYR/bpwUOxoj64tNjMx+E6vLrcunSDk3su5u+yWw=;
        b=vg1BVcZwTSykzO2csS4IWrmhe9YfnGtMxu3RrgcoFUKeCPPAEZMC4VNbtrmfJgNPfa
         K8o+xhCBpHThe3XEIBqWcjkMZWuJynx4LYPrlGueNanSk9fF38Pic392cU900CUZMOLj
         2TkYoS23pD9vP1OjDDzxdYHupxcwgoEgnPIzxXwwO78P1Me9k7kjOOq+gUFBurrSZIMe
         ixpfgLygipBF3Rnl+b3ormls95FWdjJ0RkpWxdhBUvkIYEQwRXX2XjdrLXdQSXaQf8YH
         KS2tLxghN3U3373hTqC4n5m9nuaRr0eWkqSHCav1e/SkPlKAH9Ong5QCNQluWHKS+58t
         fYkg==
MIME-Version: 1.0
X-Received: by 10.50.239.131 with SMTP id vs3mr795117igc.34.1391206106726;
 Fri, 31 Jan 2014 14:08:26 -0800 (PST)
Received: by 10.50.29.140 with HTTP; Fri, 31 Jan 2014 14:08:26 -0800 (PST)
In-Reply-To: <CAGa2bXaKiKzQvEpb-8Y0YtXip4TGwNXsErkwEgOrocyP7WHa8w@mail.gmail.com>
References: <CAH8MpnmVnYiw7nJ11v+h=31+p+HBopBjJ80afpZkW-bW1LJb2A@mail.gmail.com>
	<CALwr1GnCqXZUk5zDfmtBa8cqmZS9qiGxVtc0JAbpShsJPodhtw@mail.gmail.com>
	<CAH8Mpn=1OMhKjMPAFGQ6hF309zFN4=ZFMZc06ZQvT8S2vX4hJw@mail.gmail.com>
	<824758DB-57D8-4B4B-BECD-E1F12531FDE0@rouvenwessling.de>
	<CAH8Mpn=3D7bSWQicgaRPKBtriqkk08p8Jh0+ud6N8BEbJXAu7w@mail.gmail.com>
	<CAGa2bXaKiKzQvEpb-8Y0YtXip4TGwNXsErkwEgOrocyP7WHa8w@mail.gmail.com>
Date: Fri, 31 Jan 2014 17:08:26 -0500
Message-ID: <CAH8MpnnRYCd3dX=7Y7C63TqNGCh2gRVsodctiRrjJkvNS7Zb1g@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: =?ISO-8859-1?Q?Rouven_We=DFling?= <me@rouvenwessling.de>, 
	=?ISO-8859-1?Q?P=E1draic_Brady?= <padraic.brady@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1134db86cd6eed04f14b699a
Subject: Re: [PHP-DEV] Improved TLS Defaults
From: rdlowrey@gmail.com (Daniel Lowrey)

--001a1134db86cd6eed04f14b699a
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Fri, Jan 31, 2014 at 4:47 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi Daniel,
>
> On Fri, Jan 31, 2014 at 2:17 AM, Daniel Lowrey <rdlowrey@gmail.com> wrote=
:
>
>> On Thu, Jan 30, 2014 at 12:11 PM, Rouven We=DFling <me@rouvenwessling.de
>> >wrote:
>>
>> >
>> > On 30.01.2014, at 04:15, Daniel Lowrey <rdlowrey@gmail.com> wrote:
>> >
>> >  As I mentioned in the updated RFC
>> > text I think it makes sense to deprecate the specific wrappers in 5.6
>> and
>> > look to remove them in 5.7 as they're really unnecessary in light of t=
he
>> > ability to specify flags for the specific individual protocols you wis=
h
>> to
>> > use on a given stream.
>> >
>> >
>> > Please don't. By deprecating in 5.6 and removing in 5.7 (which would b=
e
>> > faster than anything before) you'd royally screw everyone skipping a
>> > version - something that gets increasingly likely with the faster
>> release
>> > cycle.
>> >
>> > I'd suggest deprecating them now with this RFC and remove it in PHP 6,
>> if
>> > PHP6 doesn't come around they could still be removed in a future RFC.
>> >
>> > Best regards
>> > Rouven
>> >
>>
>> Sounds good to me. Will update the RFC for deprecation of the sslv2:// a=
nd
>> sslv3:// stream wrappers in 5.6 with removal planned for PHP 6.
>>
>
> I agree that obsolete protocol should be deprecated.
> However, removal is totally different. I would like to have *long* period
> before
> removing any feature from PHP whenever it is possible. It could be used a=
s
> toy
> for security experiments as well as for incredibly old internal servers
> never updated.
>  Perhaps, remove them for PHP 7 or even 8?
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>

I'm perfectly fine with a long period for removal. However I don't see any
reason to persist deprecated features into a PHP 6 version because all the
existing functionality is retained. I'm only deprecating the potentially
confusing protocol-specific stream wrappers -- not the ability to use the
old protocols. Even when the deprecated wrappers are removed the old
protocols will still be available.

I understand that it's a bit difficult to see the difference in the current
RFC version because I haven't added code examples yet. However, I finished
the implementation patch with tests today and will update the RFC either
this evening or tomorrow with a fully mature proposal. I've taken into
account everything that has been discussed to this point and am pleased
with the resulting solution (I think everyone else will be as well). I'll
mail the list when the "final" (subject to input) RFC is live on the wiki
and we can revisit the conversation if necessary.

As always, the input is greatly appreciated!

--001a1134db86cd6eed04f14b699a--