Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99233
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 54120 invoked from network); 29 May 2017 19:52:50 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 May 2017 19:52:50 -0000
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.176 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.161.176 mail-yw0-f176.google.com  
Received: from [209.85.161.176] ([209.85.161.176:35339] helo=mail-yw0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 57/95-34073-F0C7C295 for <internals@lists.php.net>; Mon, 29 May 2017 15:52:48 -0400
Received: by mail-yw0-f176.google.com with SMTP id l74so31990904ywe.2
        for <internals@lists.php.net>; Mon, 29 May 2017 12:52:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=9pPc6nkDnZqlQrb39OHd3uqxHnCfMZezc5F3ZbkHdAk=;
        b=IeTHC9U/78k83K6ITkJD4rYTSQxed5auFPY4q8WStryy3HODN9VQnQR0IBSgnf5H0E
         UR/IYJYNsh0P2UW76oQBHeyisQtiwt8o7nSFyO1+fp1/PKu7QpTk3uvypIaHe42lVHUM
         KEjmuKAijJ3np0FHwjxaydXj0uOZtezHbUSnbnOnOrDeDh45Bk6UbfaNo3un9ieIBSAc
         LVWFjZ/XXVjXqwYIIMrfBMa+42CCwdBSFXAZa1HH+OmsJEcHvVQ+Z3jTbNiLDRqvWnWR
         3cnnwo67XJ5R8xsT5RoB/PmzLjZF2VAJyBR3TuZglKKNWk3NUn48dvBAK7/OMy4pygAZ
         r4cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=9pPc6nkDnZqlQrb39OHd3uqxHnCfMZezc5F3ZbkHdAk=;
        b=cpAoHy6PXptkLN+8Lxgd6CxPiKgWGt66rxmMIPV58wQ3uiPvGlTXbJ+Yv/6Z/CruOh
         +5zAEv33xgf/VCT2Z/c8AJibIXcERWF5XOUqtOIcq0uaqJS1oh1f4v8K+a+MN7rb8JOp
         jl17qGec6yU6KnFGxYofQBRKn/u8sc+ZPybj4kXAV0f7w0ffHmTVB/T56JSA6gUy9ctJ
         OOov32w0IyQ+toT3dm5a/RKPUZkN5IZpvg7pONt0wxlpaanqFXLj//EMy2cM3lXy7Zpt
         TB1kYXVRpJqQIvKt+jyq1exUyNwGrGr801e7H+00qxlPsrw2/QOaCveznZ5OQMY1Rb+L
         ci5w==
X-Gm-Message-State: AODbwcDrXWpBnMeIXftkeMTo6wIMLfYZylcVrG9yp2+nti931LeTti+m
	9G/CHGItUpXzXwd1SSs49E8xuqMmhA==
X-Received: by 10.129.129.194 with SMTP id r185mr12480196ywf.223.1496087565237;
 Mon, 29 May 2017 12:52:45 -0700 (PDT)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.129.85.81 with HTTP; Mon, 29 May 2017 12:52:44 -0700 (PDT)
In-Reply-To: <HE1PR02MB105296D31608DCE6E83D1E69BAF30@HE1PR02MB1052.eurprd02.prod.outlook.com>
References: <CANUQDChAh6pQb4P5Rk_39rwGyYtyq9_aSC6BSdC+od0mU-ceFg@mail.gmail.com>
 <CAF+90c83w0HrPssGvn72EBdGwUqrnPHCeuknaAgNfyE0QhLdUg@mail.gmail.com>
 <CANUQDCgt6yY42-zhcb5YgE+dkRHfoQ7SyfH7xzZMi9Jm_UAxJg@mail.gmail.com> <HE1PR02MB105296D31608DCE6E83D1E69BAF30@HE1PR02MB1052.eurprd02.prod.outlook.com>
Date: Mon, 29 May 2017 20:52:44 +0100
X-Google-Sender-Auth: _0e1EGbKxF11ZTkKNmcqRD8XKjw
Message-ID: <CAEKnhAGTP3+ep+PG+a8hFSx=sptACiEF_eFXaVxe9mJyUSCh9Q@mail.gmail.com>
To: Anatol Belski <ab@php.net>
Cc: Niklas Keller <me@kelunik.com>, Nikita Popov <nikita.ppv@gmail.com>, 
	PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="94eb2c07fba8e103680550af07fc"
Subject: Re: [PHP-DEV] [RFC][VOTE] Improved SSL / TLS constants
From: bukka@php.net (Jakub Zelenka)

--94eb2c07fba8e103680550af07fc
Content-Type: text/plain; charset="UTF-8"

On Mon, May 29, 2017 at 7:59 PM, Anatol Belski <ab@php.net> wrote:

> Hi,
>
> >       I'd really prefer if this RFC targeted current patch branches. I
> see
> > minimal BC impact from the change (issues may only arise when
> communicating
> > with broken TLS implementations), while *not* making the change is
> effectively
> > a BC break as more servers stop supporting TLS 1.0.
> >
>
> >       For the lifetime of the 7.0 and 7.1 releases, it appears much more
> likely
> > to me that there will be more servers not supporting TLS 1.0 than servers
> > supporting only TLS 1.0 *and* having a broken version negotiation
> > implementation.
> >
> Nikita, IMHO there's too much uncertainty. It's not, that TLS 1.2 and co
> is not supported at all. Basically, it is an app responsibility and issues
> that which we should not try to fix. Real world is not going easy with the
> changes of this kind. There are still and will be both that change rapidly
> and those that stay longer. The linked doc from the original thread
> https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls,
> originally posted 2015, talks about "extending the migration completion
> date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure
> version of TLS". Well, ...
>
> The issue I see to proceed this way into stable is, that the reliable
> stats are missing and unlikely to get. The only info for now is the
> original report, that *some* servers switched to TLS 1.2 only, and that
> there are policy changes in payment card industry which recommends an
> upgrade already for two years. From another point, I spoke to some
> arbitrary companies and individuals I could reach, where the situation is
> not different from "moving slow". Fe a company with up to 10-20 employs
> still has to support old encryption protocols, because a switch would mean
> they would have to throw away a half of their current hardware. It can ofc
> go different depending on the industry branch, where to see is even sectors
> like payment things go quite sluggish. Not telling it's a good situation,
> but kinda usual.
>
> We didn't have a policy about default TLS versions till now, so a change
> like that might be unexpected, depending on what OpenSSL wants to do under
> the hood. Perhaps, regarding such a policy, we could say, that any PHP.next
> whatsoever should support the latest available TLS version by default. An
> app can always use an explicit TLS scheme if required, or it can upgrade
> PHP.
>
> >
> > Same here, but Anatol suggested releasing this with PHP 7.2 first and if
> nobody
> > complains, backport it to PHP 7.1 and 7.0.
> >
> Well, it was said before the patch was changed to touch ssl:// as well. In
> the current approach, yes for 7.2 for sure. Otherwise, at least 7.0 is
> already nearly half its lifetime old, so a controversial change like this
> is probably too late without a good reason.
>
>
I agree with Anatol. I don't think we should backport those changes.
Especially for the tls:// changes that have a real BC (yes there are server
that hang when 1.2 is negotiated and I have experienced it). That said I
think it's good for 7.2!

Regards

Jakub

--94eb2c07fba8e103680550af07fc--