Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99227 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24687 invoked from network); 29 May 2017 10:58:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 May 2017 10:58:25 -0000 Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.217 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.217 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.217] ([81.169.146.217:15666] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8F/D2-34073-0DEFB295 for ; Mon, 29 May 2017 06:58:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1496055501; l=4067; s=domk; d=kelunik.com; h=Content-Type:To:Subject:Date:From:References:In-Reply-To: MIME-Version; bh=1U9GU78W2G7tNDd+obYmTWQbACGFOlgpX+cbMJelNS8=; b=OetnVjNqLJDilJZ7vHl1Lr4/596EjuENcEJcG66QOxP5RsGrM+XHBbBrw6yxuLqCM8 cDjTajapJXQNLIxrArNVC5Buymr/ivDsh+hG/eMT2CNZd0AP4iQ5Y0poBZrawzS6KLlX kW0VxHztSCM3Qb7YLcClnaEwChOpKB0mebOj4= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNHBqX93Q== X-RZG-CLASS-ID: mo00 Received: by mail-oi0-f45.google.com with SMTP id b204so74888360oii.1 for ; Mon, 29 May 2017 03:58:20 -0700 (PDT) X-Gm-Message-State: AODbwcCVrhZwpxPa9LqKhccDIRzXNdiIUC4ChaI4D7pz2mlS62heJQM8 MmCkSjtAFMlNg9mqr1cn7/jdRHhV7w== X-Received: by 10.202.76.138 with SMTP id z132mr6858445oia.149.1496055500275; Mon, 29 May 2017 03:58:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.176.133 with HTTP; Mon, 29 May 2017 03:58:19 -0700 (PDT) In-Reply-To: References: Date: Mon, 29 May 2017 12:58:19 +0200 X-Gmail-Original-Message-ID: Message-ID: To: PHP Internals , Jakub Zelenka Content-Type: multipart/alternative; boundary="001a1134e75ea88cd60550a790ba" Subject: Re: [RFC] Distrust SHA-1 Certificates From: me@kelunik.com (Niklas Keller) --001a1134e75ea88cd60550a790ba Content-Type: text/plain; charset="UTF-8" Morning Internals, I have updated the RFC to use a "min_signature_bits" setting instead. Please share your thoughts. https://wiki.php.net/rfc/distrust-sha1-certificates Regards, Niklas 2016-11-26 16:49 GMT+01:00 Niklas Keller : > Morning Internals, > > I plan to distrust SHA-1 certificates by default in PHP 7.2. All major > browsers will no longer trust SHA-1 certificates starting already > 2017-01-01. > > Unfortunately, PHP doesn't even provide a way yet to limit the accepted > algorithms for certificates. The RFC fixes that and introduces new defaults > for PHP 7.2. The "signature_algorithms" context option will also be > backported to PHP 5.6, which is only supported until the end of 2016 with > regular releases, but after that there will be two more years of > security-only updates. Therefore I'd like to get this done before the end > of 2016. > > Currently the RFC aims for BC and doesn't restrict the algorithms on older > versions. As all major browsers start distrusting those certificates on > 2017-01-01 I'm not sure whether that's the correct choice. I'd like to go > secure-by-default there and disable SHA-1 also on older versions. People > which really need longer can always opt-out and add the needed algorithms > again. Unfortunately, we didn't announce any plans regarding SHA-1 yet, so > this might be a bit last-minute. > > You can read the full RFC in the wiki: https://wiki.php.net/ > rfc/distrust-sha1-certificates > > Regards, Niklas > --001a1134e75ea88cd60550a790ba--