Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72512 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 19565 invoked from network); 12 Feb 2014 12:24:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Feb 2014 12:24:50 -0000 Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.173 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.160.173 mail-yk0-f173.google.com Received: from [209.85.160.173] ([209.85.160.173:37199] helo=mail-yk0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D2/00-19387-1186BF25 for ; Wed, 12 Feb 2014 07:24:50 -0500 Received: by mail-yk0-f173.google.com with SMTP id 10so14983419ykt.4 for ; Wed, 12 Feb 2014 04:24:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=0uxxIX4JkxhWT6cPcHxqJ69+yV0e1atSvnJsw1PdsOg=; b=frnOmUYpCKk9aYsfBaif8VgqZUPQZl5SHxzqtO1q8zwm5sgN9XxVmV6m3o56nwYnOD HVcHvMW0VvXOLCjlNe5EmIFE1+y6Gzr+foyqm6bHcyPQpFSb2tmGDOj+sYNpjCyI9+Fc hHdijzt31ekNEy+WbG085KCogPyH8jdPSfId4Ncn5hUfunKs8C91QXBiFxwL9sd8n+q1 TeaSPUegC9F5V8r6vBrPqtLbb7sZD9LSpdblQXtHUWf/QeNq7oWgrOEDOvkae+AGCsqC phwsinYybTrZ4ykEnyceml+kpFwRd3S1YU3AcJFLY1gMfjLAFGxOlVJ/J8Z9voVIHYM6 Ta7A== MIME-Version: 1.0 X-Received: by 10.236.28.162 with SMTP id g22mr28300262yha.52.1392207475990; Wed, 12 Feb 2014 04:17:55 -0800 (PST) Received: by 10.170.84.138 with HTTP; Wed, 12 Feb 2014 04:17:55 -0800 (PST) In-Reply-To: References: <52FA932D.5050504@sugarcrm.com> Date: Wed, 12 Feb 2014 12:17:55 +0000 Message-ID: To: Daniel Lowrey Cc: Stas Malyshev , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [VOTE] Improved TLS Defaults RFC From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=) Hi, On 11 February 2014 21:53, Daniel Lowrey wrote: > On Tue, Feb 11, 2014 at 4:16 PM, Stas Malyshev wr= ote: >> - What is the motivation for verify_depth default of 3? RFC does not say >> anything on it. >> >> > I admit this one is a somewhat arbitrary limit (which explains the lack o= f > explanation in the wiki text). OpenSSL will default to a limit of 9 if we > don't specify one ourselves, so there's not really that much to be gained > by using a default of 3. After considering this a bit more I think it bes= t > to eliminate the addition of a default value in this area altogether. I > will update the RFC and patch accordingly. It=E2=80=99s partly arbitrary. The main reason for minimising depth, as far= as I=E2=80=99m aware, is to minimise the cost of TLS. It=E2=80=99s an expensiv= e operation (even for the client) and having an infinite depth may, as far as I know, be a potential DOS risk. The general values used are 3-6 reflecting real world use. A requirement for a value above this would indicate potential issues with the server. This may be something of a historical artifact since I cannot remember where I heard it. I do know that DOS against SSL servers used to justify limiting this value for certain. Paddy may need a memory upgrade=E2=80=A6 -- P=C3=A1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team Zend Framework PHP-FIG Representative