Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72750 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 44067 invoked from network); 21 Feb 2014 21:18:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Feb 2014 21:18:44 -0000 Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.172 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.223.172 mail-ie0-f172.google.com Received: from [209.85.223.172] ([209.85.223.172:59369] helo=mail-ie0-f172.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EF/A4-17822-3B2C7035 for ; Fri, 21 Feb 2014 16:18:44 -0500 Received: by mail-ie0-f172.google.com with SMTP id rd18so1765691iec.17 for ; Fri, 21 Feb 2014 13:18:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rDS5I0MglnMtdsOuizc7mQ7txD20WF1uYhhLWZpheqg=; b=bqwpYdRNt/4TgtUH4DX181KxwIHlBfCAyzw3GJEgksGEjOqxdNwWm+iO/xTE6czmJB wpZapJed977IAhTqieYUseAOyX23BdRxo1dedZSf6cciSJ6XAsNoijiWmCPAoiOqDtA9 u1DogExU0Xpmya+kJRknNQe5F/oFRR44DXJsri3HKjz0do8AF6QvFFFC/ij/MC9kaLtl O4DUN93EElmp9Z+7PTnj0OlDj7O2c5P7i2q3K4U1btmvyLuSxDwH7aFwa5uuOfgnl0wh JpKuT09GW33oshOWCJY55z+C+7LGJqOiZJaRe3H0QtcVKH53GpsdHsVPsoIcAbM++iTI XsRA== MIME-Version: 1.0 X-Received: by 10.50.171.169 with SMTP id av9mr1875719igc.14.1393017520441; Fri, 21 Feb 2014 13:18:40 -0800 (PST) Received: by 10.50.34.131 with HTTP; Fri, 21 Feb 2014 13:18:40 -0800 (PST) In-Reply-To: References: Date: Fri, 21 Feb 2014 16:18:40 -0500 Message-ID: To: Yasuo Ohgaki Cc: =?ISO-8859-1?Q?P=E1draic_Brady?= , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0111c1ca78d1c704f2f12a82 Subject: Re: [PHP-DEV] Future TLS roadmap From: rdlowrey@gmail.com (Daniel Lowrey) --089e0111c1ca78d1c704f2f12a82 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Wed, Feb 12, 2014 at 4:41 PM, Yasuo Ohgaki wrote: > Hi all, > > On Wed, Feb 12, 2014 at 10:39 PM, P=E1draic Brady wrote: > >> On 12 February 2014 13:22, Daniel Lowrey wrote: >> > FYI, these are things I plan to work on for the post-5.6 timeframe: >> > >> > - Support for SNI in *servers* (currently only supported by clients) >> > - Support for DTLS (datagram client/server encryption) >> > - Mitigating the client-initiated renegotiation DoS vector in TLS >> servers >> > >> > Most TLS changes could probably pass as "security fixes" and may be >> > feasible for 5.6 bugfix releases. The alternative is obviously to put >> them >> > in master and wait for 5.7. In any case we can cross that bridge when = we >> > get there. >> >> I'd support the renegotiation DOS vector as a current bugfix - it's >> been documented for what, 2 years now since a POC was published? > > > I'm getting used to delayed security fixes... > +1 for fix it ASAP. > > To interested parties ... Because it's a security vulnerability for encrypted stream servers I've taken care of client-initiated renegotiation DoS mitigation and merged it for 5.6: https://github.com/php/php-src/pull/600 The implementation uses a standard leaky bucket rate-limiting approach. If you'd like to know more just click over to the PR link above. --089e0111c1ca78d1c704f2f12a82--