Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99739 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 40542 invoked from network); 4 Jul 2017 11:33:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jul 2017 11:33:19 -0000 Authentication-Results: pb1.pair.com smtp.mail=weltling@outlook.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=weltling@outlook.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain outlook.de designates 40.92.66.31 as permitted sender) X-PHP-List-Original-Sender: weltling@outlook.de X-Host-Fingerprint: 40.92.66.31 mail-oln040092066031.outbound.protection.outlook.com Received: from [40.92.66.31] ([40.92.66.31:11604] helo=EUR01-VE1-obe.outbound.protection.outlook.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0F/9F-15131-EFC7B595 for ; Tue, 04 Jul 2017 07:33:18 -0400 Received: from VE1EUR01FT021.eop-EUR01.prod.protection.outlook.com (10.152.2.51) by VE1EUR01HT209.eop-EUR01.prod.protection.outlook.com (10.152.3.178) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1199.9; Tue, 4 Jul 2017 11:33:14 +0000 Received: from HE1PR02MB1052.eurprd02.prod.outlook.com (10.152.2.60) by VE1EUR01FT021.mail.protection.outlook.com (10.152.2.223) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1220.9 via Frontend Transport; Tue, 4 Jul 2017 11:33:14 +0000 Received: from HE1PR02MB1052.eurprd02.prod.outlook.com ([fe80::c8fa:ce46:453e:533f]) by HE1PR02MB1052.eurprd02.prod.outlook.com ([fe80::c8fa:ce46:453e:533f%13]) with mapi id 15.01.1220.018; Tue, 4 Jul 2017 11:33:14 +0000 To: Niklas Keller , Sara Golemon CC: Jakub Zelenka , PHP Internals Thread-Topic: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates Thread-Index: AQHS2GqKEaSg03F/NE+c0FfXh7TanaILu7+AgAAEbgCAAZUEgIA09mUAgAAs6TCAABXmgIAAAz8AgAANL4CAAP0EEA== Date: Tue, 4 Jul 2017 11:33:13 +0000 Message-ID: References: In-Reply-To: Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: kelunik.com; dkim=none (message not signed) header.d=none;kelunik.com; dmarc=none action=none header.from=outlook.de; x-incomingtopheadermarker: OriginalChecksum:2E6395D79063291077D9530F00BE8F4201C960CFC2D78B4EB09D61A0273AE1A9;UpperCasedChecksum:8AE6F33CE3442C3CB49388AA9EE73D28602BF6F664D71DFDBA6F3AD5B75DD88A;SizeAsReceived:8135;Count:46 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [ALTj+QeNvTXMgNw6m6xg+xcxGLLEoSDF] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;VE1EUR01HT209;7:ch0si/YHC0O1f9PyZKFc7dXkS8TnHPHfih9AvSwWvfOQPXlDiMbbFGQ84ra5+52qwR1wO6wZSh8VrqEKUXeGD95ub3pUMDGFhNFDvenARZRvj/C/izdlb2V99KY/4Uh74V+6DmiMHTWweOnfjJWIjfg7AUBQmEIvA2JSVg+QSbQBlUQ8cjUyfv7j6EZ9sMYc1DIzy/b6PpydpiWxn0odaXJMhQuOWkD+uRoTSSfE/pfGQcm+LbIvVu70oHCa1yv3UrR6DyBfbMWykgWubVBkh2dT14epe9iAHB1F1vXp+RK6qCeRmiskHiufSWTNMpDWM/AhOy+rFqcoPGS3dFDvkA0Ns4acIC+QbaoKaobQDSoJSRc3qhoIa4LxKG1EoZPJMKf6+CzeYVQUVI0IP4s7orXfs7tUCF/jtS9u/yFwmYW70vZmAUkIsCN2Gj0KGTCpUt6Tiyn6iSOdj9qz96pX9tUwiz5w5QwFcm3/fipFzCLQMxMJjVmg8cgv5d5OApZ8fEZQPvfI2wBcWTRtaCqKg9l8tuEDRefTqNoKpp7lDnSh3Y3AaZMFczJfSZvPe5W0TPb40WFUGDX268D4oLiTbcbBTS7p5fqpf/ozNP+J5QrV2xjIXL7Nva2RETz6dxj2VrFyAXYAPs71JE2MeR3jI/4jVdhUQEcO9xh25LxCmc+guzDWBToIzXQyX36v5Qrh8sXnmZA8CBQyPEC94MS5+Yt6Xk2BanztwhFBDRYhkWl2b0EmjujPvd5TaTifU3bs8+GnQEhzwp+f0EHhU4RGhQ== x-incomingheadercount: 46 x-eopattributedmessage: 0 x-forefront-antispam-report: EFV:NLI;SFV:NSPM;SFS:(7070007)(98901004);DIR:OUT;SFP:1901;SCL:1;SRVR:VE1EUR01HT209;H:HE1PR02MB1052.eurprd02.prod.outlook.com;FPR:;SPF:None;LANG:en; x-ms-office365-filtering-correlation-id: fa31b3f9-2b56-476a-34c3-08d4c2d07524 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322274)(1601125374)(1603101448)(1701031045)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:VE1EUR01HT209; x-ms-traffictypediagnostic: VE1EUR01HT209: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(444000031);SRVR:VE1EUR01HT209;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:VE1EUR01HT209; x-forefront-prvs: 0358535363 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jul 2017 11:33:13.9594 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1EUR01HT209 Subject: RE: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates From: weltling@outlook.de (Anatol Belski) Hi, > -----Original Message----- > From: Niklas Keller [mailto:me@kelunik.com] > Sent: Monday, July 3, 2017 8:12 PM > To: Sara Golemon > Cc: Anatol Belski ; Jakub Zelenka ; P= HP > Internals > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates >=20 > 2017-07-03 19:24 GMT+02:00 Sara Golemon >: >=20 >=20 > On Mon, Jul 3, 2017 at 1:12 PM, Niklas Keller > wrote: > > Additionally there will be two INI options > > which are only added to PHP 7.1 and 7.0 to allow people to > immediately > > upgrade to secure defaults without any risk of breaking other apps. > > > I understand what you're going for there, but it's just a bit weird to > have that INI option exist for a weird pair of version ranges and not > forward. I'd say keep the INI in 7.2 and (perhaps) mark them > deprecated. There's no sense making that upgrade path unreasonably > difficult. >=20 >=20 >=20 > True, but I'd like it to be an INI option to strengthen the security, but= not allow > to weaken it. You really shouldn't use MD5 or SHA1 for TLS certificates 2= 018 (!). > If you really need it there, you can still set a default stream context o= ption, but > we won't clutter the INI options of future versions. >=20 An INI option doesn't seem necessary. If there's a stream context option, t= he existing code has to be touched. Those who do it, know what they do. Sam= e as with the other issue about TLS - stable branches, that have active use= rs already, we shouldn't enforce the change, but just offer it. I'd be also against an INI option in the sense it's being suggested, becaus= e it would be not useful in 7.2 and above. As you mention also, they may ha= ve the reverse effect in 7.2. The current RFC doesn't mention any INI, and = I think it's too much inconsistency having both ini and stream context. As = linked in the other mail, what we could do is introduce INI options only, J= ava alike, that would control the behavior same way in every branch. As muc= h as almost no one likes new INI options, it would mean likely no backport = were required. A stream context option sounds more plausible and future ori= ented to me, however. Regards Anatol