Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99724 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71382 invoked from network); 3 Jul 2017 18:11:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Jul 2017 18:11:51 -0000 Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.221 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.221 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.221] ([81.169.146.221:18106] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 39/58-15131-5E88A595 for ; Mon, 03 Jul 2017 14:11:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1499105506; l=2691; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To: MIME-Version; bh=1Rwl1E/+zeaEd55jiXOvvp9+zoSvyruLNywVMvb3kD0=; b=D/B6KATXPGWje5U3p80UnFpzaZU6Z6EXrlCjZVEJwbmaJBelMdEWXvCAqF+zdTXcWY PfTNuydo+7jof5G4Jy9YSQ9oaiGyAUtWASvki5i07kY+R4x6HVBKxI2wGPc/coebYuek eBwE5lLYU+KriQtnwvAgCh9qBl3Uf0bib0l9U= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNHBqT63Q== X-RZG-CLASS-ID: mo00 Received: by mail-oi0-f52.google.com with SMTP id l130so87576833oib.1 for ; Mon, 03 Jul 2017 11:11:46 -0700 (PDT) X-Gm-Message-State: AKS2vOxUuA0BZZyWTqVsc4M5GSKnWzUPF8rxmLuFwFpRAlk/DECxOPLh /B2dfGNQbo5qZe59wy37nxavP5YFXA== X-Received: by 10.202.253.195 with SMTP id b186mr22410377oii.54.1499105505662; Mon, 03 Jul 2017 11:11:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.81.135 with HTTP; Mon, 3 Jul 2017 11:11:45 -0700 (PDT) In-Reply-To: References: Date: Mon, 3 Jul 2017 20:11:45 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Sara Golemon Cc: Anatol Belski , Jakub Zelenka , PHP Internals Content-Type: multipart/alternative; boundary="001a113df2ec2566e005536db3f2" Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates From: me@kelunik.com (Niklas Keller) --001a113df2ec2566e005536db3f2 Content-Type: text/plain; charset="UTF-8" 2017-07-03 19:24 GMT+02:00 Sara Golemon : > On Mon, Jul 3, 2017 at 1:12 PM, Niklas Keller wrote: > > Additionally there will be two INI options > > which are only added to PHP 7.1 and 7.0 to allow people to immediately > > upgrade to secure defaults without any risk of breaking other apps. > > > I understand what you're going for there, but it's just a bit weird to > have that INI option exist for a weird pair of version ranges and not > forward. I'd say keep the INI in 7.2 and (perhaps) mark them > deprecated. There's no sense making that upgrade path unreasonably > difficult. > True, but I'd like it to be an INI option to strengthen the security, but not allow to weaken it. You really shouldn't use MD5 or SHA1 for TLS certificates 2018 (!). If you really need it there, you can still set a default stream context option, but we won't clutter the INI options of future versions. Regards, Niklas --001a113df2ec2566e005536db3f2--