Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:98987 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 27081 invoked from network); 9 May 2017 15:33:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 May 2017 15:33:42 -0000 Authentication-Results: pb1.pair.com smtp.mail=thruska@cubiclesoft.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=thruska@cubiclesoft.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain cubiclesoft.com designates 149.56.142.28 as permitted sender) X-PHP-List-Original-Sender: thruska@cubiclesoft.com X-Host-Fingerprint: 149.56.142.28 28.ip-149-56-142.net Received: from [149.56.142.28] ([149.56.142.28:57648] helo=28.ip-149-56-142.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6C/C3-04607-641E1195 for ; Tue, 09 May 2017 11:33:26 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: thruska@cubiclesoft.com) with ESMTPSA id E21333E827 To: PHP Development Message-ID: <702de8c0-146e-268f-edf8-d0ea900a87e0@cubiclesoft.com> Date: Tue, 9 May 2017 08:33:20 -0700 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: TLS v1.2 -only- deployments From: thruska@cubiclesoft.com (Thomas Hruska) Over the past two weeks, I've observed quite a bit of PHP 7+ userland code breaking due to remote hosts switching to a TLS 1.2 only policy. For various specific reasons, I strongly suspect that PCI DSS 3.1 implementations or compliance audits against that spec have something to do with the changes that I'm seeing: https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls In just the last two weeks, I've seen completely unrelated servers of various vendors go offline for an upgrade. When they come back up a short bit later, they are suddenly configured for TLS 1.2 only. Running a Qualys SSL labs test confirms the changes. It's a rather specific change to encounter in such a short period of time. PHP userland code (e.g. stream_socket_client()) is unable to connect to such hosts via "tls://" host strings. The string has to be updated to use the version-specific string "tlsv1.2://" before the connecting code starts working again. -- Thomas Hruska CubicleSoft President I've got great, time saving software that you will find useful. http://cubiclesoft.com/