Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99737 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37004 invoked from network); 4 Jul 2017 11:12:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jul 2017 11:12:02 -0000 Authentication-Results: pb1.pair.com smtp.mail=weltling@outlook.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=weltling@outlook.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain outlook.de designates 40.92.64.97 as permitted sender) X-PHP-List-Original-Sender: weltling@outlook.de X-Host-Fingerprint: 40.92.64.97 mail-oln040092064097.outbound.protection.outlook.com Received: from [40.92.64.97] ([40.92.64.97:39232] helo=EUR01-DB5-obe.outbound.protection.outlook.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9B/EE-15131-0087B595 for ; Tue, 04 Jul 2017 07:12:02 -0400 Received: from VE1EUR01FT004.eop-EUR01.prod.protection.outlook.com (10.152.2.57) by VE1EUR01HT104.eop-EUR01.prod.protection.outlook.com (10.152.3.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1199.9; Tue, 4 Jul 2017 11:11:57 +0000 Received: from HE1PR02MB1052.eurprd02.prod.outlook.com (10.152.2.59) by VE1EUR01FT004.mail.protection.outlook.com (10.152.2.101) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1220.9 via Frontend Transport; Tue, 4 Jul 2017 11:11:57 +0000 Received: from HE1PR02MB1052.eurprd02.prod.outlook.com ([fe80::c8fa:ce46:453e:533f]) by HE1PR02MB1052.eurprd02.prod.outlook.com ([fe80::c8fa:ce46:453e:533f%13]) with mapi id 15.01.1220.018; Tue, 4 Jul 2017 11:11:57 +0000 To: Niklas Keller , Sara Golemon CC: Jakub Zelenka , PHP Internals Thread-Topic: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates Thread-Index: AQHS2GqKEaSg03F/NE+c0FfXh7TanaILu7+AgAAEbgCAAZUEgIA09mUAgAAs6TCAABXmgIABKJWQ Date: Tue, 4 Jul 2017 11:11:57 +0000 Message-ID: References: In-Reply-To: Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: kelunik.com; dkim=none (message not signed) header.d=none;kelunik.com; dmarc=none action=none header.from=outlook.de; x-incomingtopheadermarker: OriginalChecksum:2769F2EB2758069B381AD65684BB119930D392C0B40AAB9AFB6B279C98EA7A4E;UpperCasedChecksum:357F3BE334FC923D0A707125324547B083052078C0E447E5FB3F9AFB5A6DD349;SizeAsReceived:7901;Count:46 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [hLwG6/4CJSs3tS0AJHlrhmbXAcAwVZq/] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;VE1EUR01HT104;7:r+Awpj4A9oqLMAO/KDlE/kMYVOJkX1z0NapEfIQhRwVYTw0iN1iBgIXFJVGw22tH3QsY7OEhLjNX3pjRPG8bA0+egPivNPeGoH4my3Ffibwc3ai2dESuSegprb4PFInGERYhF0lueT+mNHA23sreUCijnSEn8lVtyE/+RS0cYCRVf3cHr2Haeq53+xeQxwLwti7pI6qr1DzjaWp1h7Gh+bb47vJAjc7mLZ7gVyl1aUO3QLO/nAlrbqHGFlMumaxC8PXqa97G3CZnv/OOrnjoLqVkJeBBDemBuImyYmpI4BsexE6tXCi7wwxPNo04uJkBUlasP5pvuMUEEKqdbsI/Pyn7ODDZOXk4F32QCNg9YcY/tpjZev5cVBMwzNLIzXJvayeyYKke1jucx1n/+8o02en4iPO2FtT9+Bxgh9ypINkVdDUo5buswFmDLdnBHpRipzNUiMI+swI6aB+2+bCBm6ermUyZ3eXSM7EWSBWr07IdO7AXqxeUuYks5zDjGJ6Qe486wEhsUMkA7kQXyYsdNn1aHYocBqCX7NtYHRB578raMjvcVbRzOhSGciQQhIbEQl9T6zKtXlArKbICD4p/2NB9TWKGThPd56zJ7yekeee2NakAokb8DcoAGcpqdV4z1+EZOUDF+o0Awg+hJ+0OGAlECtOCHxYwVlz/SfaYUdsIJeMVN0S/yhfBuet1xClJfgx4GdmDcY4B/NojtUtTupr+UAuqsI20KBnVgHhInS6VINlkXCvjoG7cHr1IrGWdBLhdyZc5Rim4jxWff64Jbg== x-incomingheadercount: 46 x-eopattributedmessage: 0 x-forefront-antispam-report: EFV:NLI;SFV:NSPM;SFS:(7070007)(98901004);DIR:OUT;SFP:1901;SCL:1;SRVR:VE1EUR01HT104;H:HE1PR02MB1052.eurprd02.prod.outlook.com;FPR:;SPF:None;LANG:en; x-ms-office365-filtering-correlation-id: 1e4549c7-ae10-49c1-6337-08d4c2cd7c11 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322274)(1603101448)(1601125374)(1701031045)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:VE1EUR01HT104; x-ms-traffictypediagnostic: VE1EUR01HT104: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(444000031);SRVR:VE1EUR01HT104;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:VE1EUR01HT104; x-forefront-prvs: 0358535363 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jul 2017 11:11:57.1212 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1EUR01HT104 Subject: RE: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates From: weltling@outlook.de (Anatol Belski) Hi Niklas, > -----Original Message----- > From: Niklas Keller [mailto:me@kelunik.com] > Sent: Monday, July 3, 2017 7:13 PM > To: Anatol Belski ; Sara Golemon > Cc: Jakub Zelenka ; PHP Internals > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates >=20 > I think the best approach for now would be that: >=20 > Add two new context options for the "ssl" wrapper: > "insecure_allow_md5_signature" and "insecure_allow_sha1_signature". They > will both default to false starting in PHP 7.2 while the backports to PHP= 7.1 and > 7.0 will default to true. Additionally there will be two INI options whic= h are only > added to PHP 7.1 and 7.0 to allow people to immediately upgrade to secure > defaults without any risk of breaking other apps. >=20 Same as Ferenc, I couldn't find anything in other languages but this about = Java http://openjdk.java.net/jeps/288 . Seems a well thought approach and y= our suggestion about the stream context is similar. Probably it is the minimum, whereby the JDK has more flexible options and m= ore constraints, which might be too flexible for us.Anyway, users are more = in control about more details, in PHP we still hide many details. For examp= le, consider things like `RSA keySize < 1024`, it is solvable in PHP with t= he stream context option, but hardly through INI. And this one is fun `SHA1= usage SignedJAR & denyAfter 2017-01-01`, too. Regards Anatol