Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99023 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 63933 invoked from network); 12 May 2017 13:51:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 May 2017 13:51:11 -0000 Authentication-Results: pb1.pair.com smtp.mail=thruska@cubiclesoft.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=thruska@cubiclesoft.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain cubiclesoft.com designates 149.56.142.28 as permitted sender) X-PHP-List-Original-Sender: thruska@cubiclesoft.com X-Host-Fingerprint: 149.56.142.28 28.ip-149-56-142.net Received: from [149.56.142.28] ([149.56.142.28:49206] helo=28.ip-149-56-142.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9F/72-47246-6CDB5195 for ; Fri, 12 May 2017 09:51:02 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: thruska@cubiclesoft.com) with ESMTPSA id 1E3B83E82A To: Anatol Belski , PHP Development References: <702de8c0-146e-268f-edf8-d0ea900a87e0@cubiclesoft.com> Message-ID: <4cba4892-b83a-c4f3-f7f5-aa63cd0b684c@cubiclesoft.com> Date: Fri, 12 May 2017 06:50:57 -0700 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] TLS v1.2 -only- deployments From: thruska@cubiclesoft.com (Thomas Hruska) On 5/11/2017 4:08 AM, Anatol Belski wrote: > Hi Thomas, > >> -----Original Message----- >> From: Thomas Hruska [mailto:thruska@cubiclesoft.com] >> Sent: Tuesday, May 9, 2017 5:33 PM >> To: PHP Development >> Subject: [PHP-DEV] TLS v1.2 -only- deployments >> >> Over the past two weeks, I've observed quite a bit of PHP 7+ userland code >> breaking due to remote hosts switching to a TLS 1.2 only policy. >> For various specific reasons, I strongly suspect that PCI DSS 3.1 implementations >> or compliance audits against that spec have something to do with the changes >> that I'm seeing: >> >> https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls >> >> In just the last two weeks, I've seen completely unrelated servers of various >> vendors go offline for an upgrade. When they come back up a short bit later, >> they are suddenly configured for TLS 1.2 only. Running a Qualys SSL labs test >> confirms the changes. It's a rather specific change to encounter in such a short >> period of time. >> >> PHP userland code (e.g. stream_socket_client()) is unable to connect to such >> hosts via "tls://" host strings. The string has to be updated to use the version- >> specific string "tlsv1.2://" before the connecting code starts working again. >> > What were interesting is to know some exact servers you mention to verify, if it were possible to call them by name. In general, probably having some reliable stats on the matter were not bad. Particularly with the reason you suspect - so if the changes are driven by the payment branch, they probably should be respected by both apps and servers. If some server providers do changes suddenly, thus breaching customer apps, we need to evaluate the extent of the breach. Fe stats linked by the Qualys labs itself tell there are still over 90% of of about 140 000 servers supporting TLS 1.0. OFC. Though, there are some billions of servers around the globe, so not sure how the stats are representative. I think in any case, especially if apps are branch specific, explicit TSL 1.2 is probably the best way, like anything explicit in security. > > Regards > > Anatol Sorry for the delayed reply. For NDA reasons, I can't tell you which servers or vendors are involved. All I know is that I saw a bunch of systems across disparate vendors in a very short amount of time switching to TLS 1.2 only, which left me confused and wondering what in the world was going on. Only after someone in a completely unrelated context forwarded me a message they received from Authorize.net did I make a PCI DSS connection - all of the systems that changed are involved with PCI compliance and auditing to various degrees. Authorize.net recently publicly announced that they are migrating to TLS 1.2 only and have already switched their sandbox environment over: https://community.developer.authorize.net/t5/News-and-Announcements/Experiencing-Sandbox-Connection-Issues-TLS-1-2-Is-Now-Required/td-p/57948 -- Thomas Hruska CubicleSoft President I've got great, time saving software that you will find useful. http://cubiclesoft.com/