Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94505
Return-Path: <anatol.php@belski.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 86614 invoked from network); 14 Jul 2016 08:15:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Jul 2016 08:15:16 -0000
Authentication-Results: pb1.pair.com header.from=anatol.php@belski.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=anatol.php@belski.net; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain belski.net from 85.214.73.107 cause and error)
X-PHP-List-Original-Sender: anatol.php@belski.net
X-Host-Fingerprint: 85.214.73.107 klapt.com  
Received: from [85.214.73.107] ([85.214.73.107:43408] helo=h1123647.serverkompetenz.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 40/00-20986-01A47875 for <internals@lists.php.net>; Thu, 14 Jul 2016 04:15:12 -0400
Received: by h1123647.serverkompetenz.net (Postfix, from userid 1006)
	id C03AF782F50; Thu, 14 Jul 2016 10:15:08 +0200 (CEST)
Received: from w530phpdev (pD9FD2D1C.dip0.t-ipconnect.de [217.253.45.28])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by h1123647.serverkompetenz.net (Postfix) with ESMTPSA id 431DF782F36;
	Thu, 14 Jul 2016 10:15:05 +0200 (CEST)
To: "'Jakub Zelenka'" <bukka@php.net>,
	"'PHP internals list'" <internals@lists.php.net>
References: <CAEKnhAHMzaKbd088JUFRe6i_OwCcQYXabZ22rB5R9qXQPk-u0Q@mail.gmail.com>
In-Reply-To: <CAEKnhAHMzaKbd088JUFRe6i_OwCcQYXabZ22rB5R9qXQPk-u0Q@mail.gmail.com>
Date: Thu, 14 Jul 2016 10:15:01 +0200
Message-ID: <016601d1dda7$d3d14800$7b73d800$@belski.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJP++ay3XWqBmWQ7JcsU1MP8IObdp8bTH0A
Content-Language: en-us
Subject: RE: [PHP-DEV] Dropping SSL2 in 7.1
From: anatol.php@belski.net ("Anatol Belski")

Hi Jakub,

> -----Original Message-----
> From: jakub.php@gmail.com [mailto:jakub.php@gmail.com] On Behalf Of =
Jakub
> Zelenka
> Sent: Wednesday, July 13, 2016 9:11 PM
> To: PHP internals list <internals@lists.php.net>
> Subject: [PHP-DEV] Dropping SSL2 in 7.1
>=20
> Hi,
>=20
> It's been already proposed by Remi using PR [1] so sending it here as =
well.
> I would like to proceed and drop SSL2 support from PHP. Effectively it =
means
> dropping ssl2 stream as it's not already negotiated by default.
>=20
> It's been dropped in OpenSSL 1.1 and we don't already support it with =
1.0.2.
> Considering that I will be merging dropping support for 0.9.8 and
> 1.0.0 shortly, it leaves just 1.0.1 that would support it. Considering =
also the
> possible security issues, I think there is no reason to keep it.
>=20
> Please let me know if any objections.
>=20
> [1] https://github.com/php/php-src/pull/1826
>=20
To be mentioned, even the currently active OpenSSL branches disable =
SSLv2 by default nowadays. Here's the info =
https://openssl.org/news/secadv/20160301.txt=20

Regards

Anatol