Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99732
Return-Path: <me@daveyshafik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 16562 invoked from network); 4 Jul 2017 06:53:29 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Jul 2017 06:53:29 -0000
Authentication-Results: pb1.pair.com smtp.mail=me@daveyshafik.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=me@daveyshafik.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain daveyshafik.com from 209.85.220.169 cause and error)
X-PHP-List-Original-Sender: me@daveyshafik.com
X-Host-Fingerprint: 209.85.220.169 mail-qk0-f169.google.com  
Received: from [209.85.220.169] ([209.85.220.169:34030] helo=mail-qk0-f169.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 63/4C-15131-16B3B595 for <internals@lists.php.net>; Tue, 04 Jul 2017 02:53:28 -0400
Received: by mail-qk0-f169.google.com with SMTP id d78so161146059qkb.1
        for <internals@lists.php.net>; Mon, 03 Jul 2017 23:53:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=daveyshafik-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=kRpVpmTbX0or+/Bxyd+oOhx8TdBZ3T+PjIgWyfHj+9M=;
        b=ZWf0oeTOpBjPKfAFzaWHUf7nGz1NJXfjwkiOuxmM1LEMIKa8M2mibbqiXonsqmFj/l
         UzfiEr3nbJlLQYqfzxxrywjE/GJrB4U+CjA2JqFR5BrAooKvrydhu144zsqVYYJNe84c
         wauC2u8OGVXcpjQXZ2AA0LRJkNDSwM/OxPyq27qM42kfZZQrKzcnek9HvWHSJJ0LsEVJ
         cN44EtmGu7GmdPY4rbmgjWgYnYZliAKRo0UMtGjbD/GHbvifTZD2D8Ow5r5zJ6a1J+Fu
         oTXaOzRwgQNJsrtaKGrUGHYAW3DKG3xZO0njsYk1L5sJCDM4tc4MyRi9TUkchp/lYe3C
         BNeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=kRpVpmTbX0or+/Bxyd+oOhx8TdBZ3T+PjIgWyfHj+9M=;
        b=dwfz8bwI1z5EZ+KOVsky0QCDfwlRQHvqmSBODZrnFg5cy2lnbxkniU3JXmP6dV9wgt
         VOJLe0dgyHhxjc5zYLGYEJi4obRu5LwYkQTDqkxu4zGLZp5oqfMNMvBj9NGOzSPmkBWJ
         7loGm+nc/MuUv8L+YlBDjDHbnz5zwZzXNOVi9ccegt1CX9nyokR3iNPDMWOanmgWxoYs
         J89IkGHdaPpYZj5NFCqX6Jqwof20Qr6uMMuzq32Cid6gxQXJ/px16hMFBKT1m1RXuHES
         zBlVREw5Xjb7l/0nULAKnesnxPE5d9zuCwHpb7RPJtW0CICGOrVorqUA22/16DliV2o9
         6D5Q==
X-Gm-Message-State: AKS2vOyk+hRTQSQb3jFeOHr5b8e2ef99gV/IhwN4LNRZREBabLWPpzSu
	pLHFKiG1baRuUOWHF6ho8cexQXdsuXM7
X-Received: by 10.55.64.73 with SMTP id n70mr44124053qka.35.1499151198389;
 Mon, 03 Jul 2017 23:53:18 -0700 (PDT)
MIME-Version: 1.0
Sender: me@daveyshafik.com
Received: by 10.200.50.4 with HTTP; Mon, 3 Jul 2017 23:53:17 -0700 (PDT)
In-Reply-To: <CANUQDChhO7A6by5tcimeEobaP-4k1TRsm4sXh75=K2sCi5HzHQ@mail.gmail.com>
References: <CANUQDCiUYNwH_tkZyS_cbWVa1X=4CAA3_14VD+fYjAXk-JU=1g@mail.gmail.com>
 <CANUQDChzB7EYyx8QOPgDC2TPR7n-h-dK43tHDfTZ=ocHPLHSOQ@mail.gmail.com>
 <CAEKnhAH8eGzcUsWODc75_L1kq4OtF2bvR7qJkijWWSVoY7c_mQ@mail.gmail.com>
 <CANUQDChVGuF1rrG3+AVTT+pp0nEmDw7MXyGGX7nVbQ42Kpgytw@mail.gmail.com>
 <CAEKnhAH78Uey_Tp43UY+AVaADi-ckvtBW9EqsuKTj8iDfK+AGQ@mail.gmail.com>
 <CANUQDCivjqg_NN+Zr_ZWWxh8mQyV3JVi1JDSY-ymVoc8ZKyR6w@mail.gmail.com>
 <HE1PR02MB1052A742CD23C1CA9DF54F6EBAD60@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <CANUQDChRXr3FB+fa7744KaBBvawQ+QhLn8z46qAaAdU85pxtbw@mail.gmail.com>
 <CAESVnVoO-Pe+SQeCn1gywQaZA4z4nL7Mtq+7PwYWeAbP=3juZQ@mail.gmail.com> <CANUQDChhO7A6by5tcimeEobaP-4k1TRsm4sXh75=K2sCi5HzHQ@mail.gmail.com>
Date: Mon, 3 Jul 2017 23:53:17 -0700
X-Google-Sender-Auth: t61nn5ES_WyFOLPD3qHJCD8POLg
Message-ID: <CANaX5neE62ttodm3=PkyoSwYVaS5GXt4rGjNwLNiP9Qs791Ccw@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>
Cc: Sara Golemon <pollita@php.net>, Anatol Belski <weltling@outlook.de>, Jakub Zelenka <bukka@php.net>, 
	PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a1148b410a51b3c05537856f4"
Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
From: davey@php.net (Davey Shafik)

--001a1148b410a51b3c05537856f4
Content-Type: text/plain; charset="UTF-8"

It should be noted that Certificate Authorities (CAs) haven't been issuing
SHA-1 certs since December 31st 2015.

I think the best solution if possible, would be to treat MD5 and SHA-1
certs as invalid in _all_ supported versions of PHP and requiring that
the verify_peer
option be set to false to accept them.

For PHP 7.2 also add deprecation notices.

For PHP 7.3 and later, remove support completely.

On Mon, Jul 3, 2017 at 11:11 AM, Niklas Keller <me@kelunik.com> wrote:

> 2017-07-03 19:24 GMT+02:00 Sara Golemon <pollita@php.net>:
>
> > On Mon, Jul 3, 2017 at 1:12 PM, Niklas Keller <me@kelunik.com> wrote:
> > > Additionally there will be two INI options
> > > which are only added to PHP 7.1 and 7.0 to allow people to immediately
> > > upgrade to secure defaults without any risk of breaking other apps.
> > >
> > I understand what you're going for there, but it's just a bit weird to
> > have that INI option exist for a weird pair of version ranges and not
> > forward.   I'd say keep the INI in 7.2 and (perhaps) mark them
> > deprecated.  There's no sense making that upgrade path unreasonably
> > difficult.
> >
>
> True, but I'd like it to be an INI option to strengthen the security, but
> not allow to weaken it. You really shouldn't use MD5 or SHA1 for TLS
> certificates 2018 (!). If you really need it there, you can still set a
> default stream context option, but we won't clutter the INI options of
> future versions.
>
> Regards, Niklas
>

--001a1148b410a51b3c05537856f4--