Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94504 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 64608 invoked from network); 13 Jul 2016 21:42:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Jul 2016 21:42:23 -0000 Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 209.85.218.46 as permitted sender) X-PHP-List-Original-Sender: scott@paragonie.com X-Host-Fingerprint: 209.85.218.46 mail-oi0-f46.google.com Received: from [209.85.218.46] ([209.85.218.46:32970] helo=mail-oi0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 75/06-10509-EB5B6875 for ; Wed, 13 Jul 2016 17:42:22 -0400 Received: by mail-oi0-f46.google.com with SMTP id j185so84072273oih.0 for ; Wed, 13 Jul 2016 14:42:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=e+GDbCl1v50U9nP8bN+mBvUHlz/T06n55WnwedBy24U=; b=FVbRb64v4q55DkM+x4K+sWsI7It+6tLgf0Fv0zJG8ibwCkYav9NzJzrmARFlUCO9/Q BEdXQN8ygxXyMcD60COz7lJIzTi1+oY7TS/g9HcJqT+4ruzzqSUErDeWlrYsxR9SJdFY FYbZqHZkTe2PegzhyFcLTFxhVy60dz6pgrQClaHCPAZZzmPeuzvYJRxfcYHxBd2iLg0N qyLA0AdezMa8DSLauyvqqliXAyfhA5tX/KaOuMqu0akSeT1AQRjirCv1ySs0HCblwvXp 6IZDuBBIgTNJD7sD2m5SEbc1o0kEoRuXjWRbcXiXBpw0y4DlAUrae/eyxj3KL/flVkyf YT5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=e+GDbCl1v50U9nP8bN+mBvUHlz/T06n55WnwedBy24U=; b=Ziupr3lM0iPoa1/6dkzYlSTwffflzv3yVclT7+aHcOfsH12sLiz8w6W1dkRLKs/RP8 I+GdQfFuC/sSnviToMLrx989yw4e+hHbXgzoAfcyeFrGbSot6xtjj7IAbetKmuNBu7pF ItsEdhNhlvEWte53i+V8OPadvYmS9e/yliuk/qQ1F/jfaDm/G6E+WwjUTxQWJmoH62s1 d4zysHj1QOai7f0/D3Z74vs4INpF42rcMFBgXf5Qq222olzGDfxMBSj0XUl81kPn1XnJ m4GuLsRaszHVRYKhCKZXCuqI45ScViC3rYv/OngzFXh/EmRqgMdTWULQDPaFMs66dfgU P7eQ== X-Gm-Message-State: ALyK8tLegkx/QNhsjFzOGLE8tOs/qw9c7ITqMU36A5fvv3D9z5wxD8VDbsRM0vM49dZ5W9my4UEN4QHneyYSsQ== X-Received: by 10.157.33.56 with SMTP id i53mr6685934otb.75.1468446139012; Wed, 13 Jul 2016 14:42:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.10.101 with HTTP; Wed, 13 Jul 2016 14:42:18 -0700 (PDT) In-Reply-To: References: Date: Wed, 13 Jul 2016 17:42:18 -0400 Message-ID: To: Jakub Zelenka Cc: PHP internals list Content-Type: multipart/alternative; boundary=001a113d163a7cf13f05378b4206 Subject: Re: [PHP-DEV] Dropping SSL2 in 7.1 From: scott@paragonie.com (Scott Arciszewski) --001a113d163a7cf13f05378b4206 Content-Type: text/plain; charset=UTF-8 If we don't drop SSL2 support we might DROWN in technical debt. This would get a massive +1 from me. (Can we consider dropping SSL3 too in 7.2?) Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises On Wed, Jul 13, 2016 at 3:11 PM, Jakub Zelenka wrote: > Hi, > > It's been already proposed by Remi using PR [1] so sending it here as well. > I would like to proceed and drop SSL2 support from PHP. Effectively it > means dropping ssl2 stream as it's not already negotiated by default. > > It's been dropped in OpenSSL 1.1 and we don't already support it with > 1.0.2. Considering that I will be merging dropping support for 0.9.8 and > 1.0.0 shortly, it leaves just 1.0.1 that would support it. Considering also > the possible security issues, I think there is no reason to keep it. > > Please let me know if any objections. > > [1] https://github.com/php/php-src/pull/1826 > > Cheers > > Jakub > --001a113d163a7cf13f05378b4206--