Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:97207 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 73650 invoked from network); 27 Nov 2016 14:22:27 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Nov 2016 14:22:27 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.162 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.162 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.162] ([81.169.146.162:18755] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 75/E6-21589-E1CEA385 for ; Sun, 27 Nov 2016 09:22:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1480256539; l=8747; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To: MIME-Version; bh=eXbRC2w4/E7lI0r0ksmCJwAvlkpbr3nsNbb8HwKq0iU=; b=RUXxMPy5m5C89GvUamaiBUDmp1mH0OxJJiK+9G0gx2GWz2RXx/GCWUjEmkxeD/lXWJ saCBA6hGIVz+dj4ll1ceZ9HQE7w5M7YwrqF5YFvLkyBfGB8Ns5Odg+XYl9ZDo5WgeRKr 52p39bQzptimNen5dDf5zu8bHLw9R6yq2Q/R4= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3Y6 X-RZG-CLASS-ID: mo00 Received: from mail-wm0-f45.google.com ([74.125.82.45]) by smtp.strato.de (RZmta 39.9 AUTH) with ESMTPSA id c07c4csAREMJ1XQ (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for ; Sun, 27 Nov 2016 15:22:19 +0100 (CET) Received: by mail-wm0-f45.google.com with SMTP id a197so182718293wmd.0 for ; Sun, 27 Nov 2016 06:22:19 -0800 (PST) X-Gm-Message-State: AKaTC00PWpdgLPrN7UYpZmoTMylI5F0V7odZ0fXDmHXUob1neM5hx9FL/4OwEMZbILi3S03UH7WHc98BxD6eqQ== X-Received: by 10.28.127.9 with SMTP id a9mr16062806wmd.95.1480256538983; Sun, 27 Nov 2016 06:22:18 -0800 (PST) MIME-Version: 1.0 Received: by 10.80.135.133 with HTTP; Sun, 27 Nov 2016 06:22:18 -0800 (PST) In-Reply-To: References: Date: Sun, 27 Nov 2016 15:22:18 +0100 X-Gmail-Original-Message-ID: Message-ID: To: Jakub Zelenka Cc: PHP Internals Content-Type: multipart/alternative; boundary=001a1141cf7a2ec96a0542491575 Subject: Re: [PHP-DEV] [RFC] Distrust SHA-1 Certificates From: me@kelunik.com (Niklas Keller) --001a1141cf7a2ec96a0542491575 Content-Type: text/plain; charset=UTF-8 2016-11-27 14:09 GMT+01:00 Jakub Zelenka : > > > On Sun, Nov 27, 2016 at 1:06 PM, Jakub Zelenka wrote: > >> >> >> On Sat, Nov 26, 2016 at 3:49 PM, Niklas Keller wrote: >> >>> Morning Internals, >>> >>> I plan to distrust SHA-1 certificates by default in PHP 7.2. All major >>> browsers will no longer trust SHA-1 certificates starting already >>> 2017-01-01. >>> >>> Unfortunately, PHP doesn't even provide a way yet to limit the accepted >>> algorithms for certificates. The RFC fixes that and introduces new >>> defaults >>> for PHP 7.2. The "signature_algorithms" context option will also be >>> backported to PHP 5.6, which is only supported until the end of 2016 with >>> regular releases, but after that there will be two more years of >>> security-only updates. Therefore I'd like to get this done before the end >>> of 2016. >>> >>> Currently the RFC aims for BC and doesn't restrict the algorithms on >>> older >>> versions. As all major browsers start distrusting those certificates on >>> 2017-01-01 I'm not sure whether that's the correct choice. I'd like to go >>> secure-by-default there and disable SHA-1 also on older versions. People >>> which really need longer can always opt-out and add the needed algorithms >>> again. Unfortunately, we didn't announce any plans regarding SHA-1 yet, >>> so >>> this might be a bit last-minute. >>> >>> You can read the full RFC in the wiki: >>> https://wiki.php.net/rfc/distrust-sha1-certificates >>> >>> >> I think you should change the format to match the one supported by >> OpenSSL [1] which is also simpler. >> > It is exactly in OpenSSL's format for SSL_CTX_set1_sigalgs_list. > In general I'm not a big fan of such defaults especially when new values >> can be added later (e.g. EdDSA that is specified in TLS 1.3) so we have to >> keep it up to date which was kind of issue in the past. >> > That's true, but I don't see a way in OpenSSL do have a blacklist instead, but we could do that in our own verify callback. > However I see the point that we should make it easier for users to have it >> secure by default so it's probably a good choice. It's not actually just >> about SHA >> > > Ah sent before I finished it. :) I wanted to say that it's not just about > SHA-1 but also MD5 that I think we might still support but would have to > double check that... > I wanted to double-check that, too, but didn't do that yet. If MD5 is still supported, we should definitely put it into PHP 5.6 as a security update. As far as I can see, MD5 support is the case if it has not been disabled by the OpenSSL version in use, as all supported algorithms are allowed by default. SSL_CTX_set1_sigalgs is anyway only supported starting in OpenSSL 1.0.2, so we need a custom verify callback for older OpenSSL versions. In our own verify callback we can use a blacklist instead of the suggested whitelist by default. Regards, Niklas --001a1141cf7a2ec96a0542491575--