Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99744 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66813 invoked from network); 4 Jul 2017 18:20:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jul 2017 18:20:56 -0000 Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.161 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.161 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.161] ([81.169.146.161:27002] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 24/82-15131-68CDB595 for ; Tue, 04 Jul 2017 14:20:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1499192451; l=8397; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To: MIME-Version; bh=2NzMpEx9llZt/EvVLtlUXQtegdY9dWAFZOpbNaj1F8Q=; b=mhYewjWZxXEUH09tsJCv/0y6dRaCDXDdhbWaN+Zh6OvV9cXer9PVpwmNm7YAVE7p63 nc5A04FnDUU09Yb0pzvs3ipPtHEbWsY069g4F7ksDVb1y8r0zDjUOzpeaYgI9YFq2yGH pYd4yKt9vK0z70T3orrvdfeuC2oe4dqjl8zs8= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNHBqX73Q== X-RZG-CLASS-ID: mo00 Received: by mail-oi0-f43.google.com with SMTP id p188so108713830oia.0 for ; Tue, 04 Jul 2017 11:20:51 -0700 (PDT) X-Gm-Message-State: AIVw112C9fz95LvV7gBj+eHCBHNGsrUJlNnMYjs5f38gHHT2OQYYK2wm vZA/fXzCznwym3OcA/p8pswTQkJpow== X-Received: by 10.202.205.11 with SMTP id d11mr3138081oig.109.1499192450617; Tue, 04 Jul 2017 11:20:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.81.135 with HTTP; Tue, 4 Jul 2017 11:20:50 -0700 (PDT) In-Reply-To: References: Date: Tue, 4 Jul 2017 20:20:50 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Anatol Belski Cc: Sara Golemon , Jakub Zelenka , PHP Internals Content-Type: multipart/alternative; boundary="001a1134f6cc781d3f055381f1f7" Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates From: me@kelunik.com (Niklas Keller) --001a1134f6cc781d3f055381f1f7 Content-Type: text/plain; charset="UTF-8" 2017-07-04 13:33 GMT+02:00 Anatol Belski : > Hi, > > > -----Original Message----- > > From: Niklas Keller [mailto:me@kelunik.com] > > Sent: Monday, July 3, 2017 8:12 PM > > To: Sara Golemon > > Cc: Anatol Belski ; Jakub Zelenka ; > PHP > > Internals > > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates > > > > 2017-07-03 19:24 GMT+02:00 Sara Golemon > >: > > > > > > On Mon, Jul 3, 2017 at 1:12 PM, Niklas Keller > > wrote: > > > Additionally there will be two INI options > > > which are only added to PHP 7.1 and 7.0 to allow people to > > immediately > > > upgrade to secure defaults without any risk of breaking other > apps. > > > > > I understand what you're going for there, but it's just a bit > weird to > > have that INI option exist for a weird pair of version ranges and > not > > forward. I'd say keep the INI in 7.2 and (perhaps) mark them > > deprecated. There's no sense making that upgrade path unreasonably > > difficult. > > > > > > > > True, but I'd like it to be an INI option to strengthen the security, > but not allow > > to weaken it. You really shouldn't use MD5 or SHA1 for TLS certificates > 2018 (!). > > If you really need it there, you can still set a default stream context > option, but > > we won't clutter the INI options of future versions. > > > An INI option doesn't seem necessary. If there's a stream context option, > the existing code has to be touched. Those who do it, know what they do. > Same as with the other issue about TLS - stable branches, that have active > users already, we shouldn't enforce the change, but just offer it. > The issue without INI option is that it requires a code change. We can't just tell people "better apply this configuration change to have secure TLS". I'd definitely want this to be enabled _everywhere_. > I'd be also against an INI option in the sense it's being suggested, > because it would be not useful in 7.2 and above. As you mention also, they > may have the reverse effect in 7.2. We can prevent the reverse effect by ignoring it if it has bad security effects. > The current RFC doesn't mention any INI, and I think it's too much > inconsistency having both ini and stream context. Forget about everything that's in the RFC about the actual implementation. It's an older idea that needs to be updated based on what's suggested and seems acceptable. > As linked in the other mail, what we could do is introduce INI options > only, Java alike, that would control the behavior same way in every branch. > As much as almost no one likes new INI options, it would mean likely no > backport were required. You still need to backport it then. > A stream context option sounds more plausible and future oriented to me, > however. Regards, Niklas --001a1134f6cc781d3f055381f1f7--