Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99701
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 28055 invoked from network); 3 Jul 2017 13:13:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2017 13:13:56 -0000
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.218 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.218 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.218] ([81.169.146.218:25153] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A5/70-15131-2134A595 for <internals@lists.php.net>; Mon, 03 Jul 2017 09:13:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1499087632;
	l=6420; s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To:
	MIME-Version;
	bh=i2jGrlXwMAQlqk4S3oPoIyKsgph3TA2gnoc/Cpc2/hE=;
	b=fbM6un3mGjVLrDJMIvWxzc+zmAAJGUTK/iL6iHQFEaAD4nUmj7VuPKjn5TgDAsWmi6
	Rz+kgfWhkMwQ8W/7COjRdE74NYtaX463lXyVwRfMJGMRSfzeJ6so34pgwsK6vlMJPUIN
	NVdx3Li9u/KcJat1SQcYBOvObpCRITNNq8tJ0=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNHBqT63Q==
X-RZG-CLASS-ID: mo00
Received: by mail-oi0-f52.google.com with SMTP id x187so22698097oig.3
        for <internals@lists.php.net>; Mon, 03 Jul 2017 06:13:52 -0700 (PDT)
X-Gm-Message-State: AKS2vOwuaTJegh78/Hv98vzhk9ObcnNv9JScS8/RrpHUV7u+8CGQe3qG
	1M8LDtvmMw6hK7IWnbutuOCO6Hf7jA==
X-Received: by 10.202.7.70 with SMTP id 67mr18223318oih.184.1499087631334;
 Mon, 03 Jul 2017 06:13:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.81.135 with HTTP; Mon, 3 Jul 2017 06:13:50 -0700 (PDT)
In-Reply-To: <CAEKnhAH78Uey_Tp43UY+AVaADi-ckvtBW9EqsuKTj8iDfK+AGQ@mail.gmail.com>
References: <CANUQDCiUYNwH_tkZyS_cbWVa1X=4CAA3_14VD+fYjAXk-JU=1g@mail.gmail.com>
 <CANUQDChzB7EYyx8QOPgDC2TPR7n-h-dK43tHDfTZ=ocHPLHSOQ@mail.gmail.com>
 <CAEKnhAH8eGzcUsWODc75_L1kq4OtF2bvR7qJkijWWSVoY7c_mQ@mail.gmail.com>
 <CANUQDChVGuF1rrG3+AVTT+pp0nEmDw7MXyGGX7nVbQ42Kpgytw@mail.gmail.com> <CAEKnhAH78Uey_Tp43UY+AVaADi-ckvtBW9EqsuKTj8iDfK+AGQ@mail.gmail.com>
Date: Mon, 3 Jul 2017 15:13:50 +0200
X-Gmail-Original-Message-ID: <CANUQDCivjqg_NN+Zr_ZWWxh8mQyV3JVi1JDSY-ymVoc8ZKyR6w@mail.gmail.com>
Message-ID: <CANUQDCivjqg_NN+Zr_ZWWxh8mQyV3JVi1JDSY-ymVoc8ZKyR6w@mail.gmail.com>
To: Jakub Zelenka <bukka@php.net>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="94eb2c13e51ec0c71505536989bf"
Subject: Re: [RFC] Distrust SHA-1 Certificates
From: me@kelunik.com (Niklas Keller)

--94eb2c13e51ec0c71505536989bf
Content-Type: text/plain; charset="UTF-8"

2017-05-30 22:26 GMT+02:00 Jakub Zelenka <bukka@php.net>:

> On Mon, May 29, 2017 at 9:16 PM, Niklas Keller <me@kelunik.com> wrote:
>
>> 2017-05-29 22:00 GMT+02:00 Jakub Zelenka <bukka@php.net>:
>>
>>> On Mon, May 29, 2017 at 11:58 AM, Niklas Keller <me@kelunik.com> wrote:
>>>
>>>> Morning Internals,
>>>>
>>>> I have updated the RFC to use a "min_signature_bits" setting instead.
>>>>
>>>>
>>> Wouldn't be better use security levels instead as it is in OpenSSL? Of
>>> course I mean just for sig level to not re-implement everything. Basically
>>> having sig_level or something like that...
>>>
>>
>> As we can't use the OpenSSL implementation directly, I don't see any
>> reason to use arbitrary integers there which you have to look up again.
>> Maybe we should fine a totally different way.
>>
>>
> Well we are going to implement security levels at some point  anyway as it
> is the primary way how to control security strength in OpenSSL 1.1+ so
> people will need to look it up anyway. It is also much easier to use than
> directly setting security bits IMHO. It might also allow us to simplify
> implementation in the future (for example if it gets separated to its own
> verify param in the future, we could use that). Also we will be able to
> just completely skip that if the main security level is already on that
> level or higher (it would be already covered by that).
>
> Please mind that this is an openssl extension so we should prefer the API
> offered by the library and not trying to invent our own solutions.
>
> Cheers
>
> Jakub
>

What's the way to proceed now? Time is running low for the PHP 7.2 feature
freeze.

I've implemented it manually for https://github.com/amphp/socket/pull/31
now. The captured chain always seems to contain the trusted certificate as
last certificate.

Honestly, what isn't secure for the public internet PKI shouldn't be
considered secure for other contexts. I'd personally be fine with not even
providing a setting other than disabling verify_peer.

Regards, Niklas

--94eb2c13e51ec0c71505536989bf--