Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:97200 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 18311 invoked from network); 26 Nov 2016 15:49:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Nov 2016 15:49:18 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.218 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.218 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.218] ([81.169.146.218:34381] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F1/71-21589-CFEA9385 for ; Sat, 26 Nov 2016 10:49:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1480175353; l=2964; s=domk; d=kelunik.com; h=Content-Type:To:Subject:Date:From:MIME-Version; bh=vCScTZ/ZebjrOs8YaG/eCH9q3bBUTZbCC5mLZMnoVmg=; b=twzQKlFHh6gRYnXPaUsjwY0BLt8N3GJ0UWDsqmTatPk8EJhp/D0tgQfCKPjhD1YERs 1noGr69C0XUt2nO1Y7YlsSElHKL8hGGBaamf8d+cTyjdfeTFPWYXvM5YIUa+GeoFBLN/ 4rc1FumpnfOQTrCJm7W90NYFUTO/h4+JVUQxg= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3o6 X-RZG-CLASS-ID: mo00 Received: from mail-wm0-f49.google.com ([74.125.82.49]) by smtp.strato.de (RZmta 39.9 AUTH) with ESMTPSA id I05ef1sAQFnDmm4 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for ; Sat, 26 Nov 2016 16:49:13 +0100 (CET) Received: by mail-wm0-f49.google.com with SMTP id a197so167622970wmd.0 for ; Sat, 26 Nov 2016 07:49:13 -0800 (PST) X-Gm-Message-State: AKaTC01uclrHsA/w2LYUsUhSYPPfT3PTrawpzukovSu6DoNc9ajhnCBaYtG3+ue6KTjKxnOBjCtu5hxPlb7Zlg== X-Received: by 10.28.23.137 with SMTP id 131mr12062418wmx.121.1480175353260; Sat, 26 Nov 2016 07:49:13 -0800 (PST) MIME-Version: 1.0 Received: by 10.80.135.133 with HTTP; Sat, 26 Nov 2016 07:49:12 -0800 (PST) Date: Sat, 26 Nov 2016 16:49:12 +0100 X-Gmail-Original-Message-ID: Message-ID: To: PHP Internals Content-Type: multipart/alternative; boundary=001a11471e7c22f2c00542362ef9 Subject: [RFC] Distrust SHA-1 Certificates From: me@kelunik.com (Niklas Keller) --001a11471e7c22f2c00542362ef9 Content-Type: text/plain; charset=UTF-8 Morning Internals, I plan to distrust SHA-1 certificates by default in PHP 7.2. All major browsers will no longer trust SHA-1 certificates starting already 2017-01-01. Unfortunately, PHP doesn't even provide a way yet to limit the accepted algorithms for certificates. The RFC fixes that and introduces new defaults for PHP 7.2. The "signature_algorithms" context option will also be backported to PHP 5.6, which is only supported until the end of 2016 with regular releases, but after that there will be two more years of security-only updates. Therefore I'd like to get this done before the end of 2016. Currently the RFC aims for BC and doesn't restrict the algorithms on older versions. As all major browsers start distrusting those certificates on 2017-01-01 I'm not sure whether that's the correct choice. I'd like to go secure-by-default there and disable SHA-1 also on older versions. People which really need longer can always opt-out and add the needed algorithms again. Unfortunately, we didn't announce any plans regarding SHA-1 yet, so this might be a bit last-minute. You can read the full RFC in the wiki: https://wiki.php.net/rfc/distrust-sha1-certificates Regards, Niklas --001a11471e7c22f2c00542362ef9--