Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99745
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 68306 invoked from network); 4 Jul 2017 18:25:14 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Jul 2017 18:25:14 -0000
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.218 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.218 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.218] ([81.169.146.218:27958] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 16/D2-15131-88DDB595 for <internals@lists.php.net>; Tue, 04 Jul 2017 14:25:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1499192710;
	l=5058; s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To:
	MIME-Version;
	bh=4x/owy+kFNHmzBQioH41N42eAs5Rk5QQWWQzbtVm5sg=;
	b=nP+PK34YuzYDiupu3r+7d3l2BOhDcLXbTrcJTZXfraMXTDZU0/ntLxY8G0To7j151f
	ZpYdmzt5ZCM9AHD+be1QFV92w+sGEr91WCMwEbXGs6P22HaEkNHKH+VPijiY1gzQaKnw
	78Kb4zKX/c3jEmhhnw/0rASZIglMc7rMjIAZA=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNHBqX83Q==
X-RZG-CLASS-ID: mo00
Received: by mail-oi0-f44.google.com with SMTP id p188so108778574oia.0
        for <internals@lists.php.net>; Tue, 04 Jul 2017 11:25:10 -0700 (PDT)
X-Gm-Message-State: AIVw113KG9N1Km1RBjezJ5Eh63U9oxQfzYJkd/NhbZscmbhlMJ03CN8Q
	KTny5Epc3/OVTQIRrIipenLn1hp3uA==
X-Received: by 10.202.205.11 with SMTP id d11mr3146700oig.109.1499192709695;
 Tue, 04 Jul 2017 11:25:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.81.135 with HTTP; Tue, 4 Jul 2017 11:25:09 -0700 (PDT)
In-Reply-To: <HE1PR02MB10526A125B744FEA01F67B63BAD70@HE1PR02MB1052.eurprd02.prod.outlook.com>
References: <CANUQDCiUYNwH_tkZyS_cbWVa1X=4CAA3_14VD+fYjAXk-JU=1g@mail.gmail.com>
 <CANUQDChzB7EYyx8QOPgDC2TPR7n-h-dK43tHDfTZ=ocHPLHSOQ@mail.gmail.com>
 <CAEKnhAH8eGzcUsWODc75_L1kq4OtF2bvR7qJkijWWSVoY7c_mQ@mail.gmail.com>
 <CANUQDChVGuF1rrG3+AVTT+pp0nEmDw7MXyGGX7nVbQ42Kpgytw@mail.gmail.com>
 <CAEKnhAH78Uey_Tp43UY+AVaADi-ckvtBW9EqsuKTj8iDfK+AGQ@mail.gmail.com>
 <CANUQDCivjqg_NN+Zr_ZWWxh8mQyV3JVi1JDSY-ymVoc8ZKyR6w@mail.gmail.com>
 <HE1PR02MB1052A742CD23C1CA9DF54F6EBAD60@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <CANUQDChRXr3FB+fa7744KaBBvawQ+QhLn8z46qAaAdU85pxtbw@mail.gmail.com> <HE1PR02MB10526A125B744FEA01F67B63BAD70@HE1PR02MB1052.eurprd02.prod.outlook.com>
Date: Tue, 4 Jul 2017 20:25:09 +0200
X-Gmail-Original-Message-ID: <CANUQDCgjsC-SJbFDpdZeWLzSHeF8RivGP_XZwsdELWtOesdcmQ@mail.gmail.com>
Message-ID: <CANUQDCgjsC-SJbFDpdZeWLzSHeF8RivGP_XZwsdELWtOesdcmQ@mail.gmail.com>
To: Anatol Belski <weltling@outlook.de>
Cc: Sara Golemon <pollita@php.net>, Jakub Zelenka <bukka@php.net>, 
	PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a1134f6cce94eeb05538200d0"
Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
From: me@kelunik.com (Niklas Keller)

--001a1134f6cce94eeb05538200d0
Content-Type: text/plain; charset="UTF-8"

2017-07-04 13:11 GMT+02:00 Anatol Belski <weltling@outlook.de>:

> Hi Niklas,
>
> > -----Original Message-----
> > From: Niklas Keller [mailto:me@kelunik.com]
> > Sent: Monday, July 3, 2017 7:13 PM
> > To: Anatol Belski <weltling@outlook.de>; Sara Golemon <pollita@php.net>
> > Cc: Jakub Zelenka <bukka@php.net>; PHP Internals <
> internals@lists.php.net>
> > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
> >
> > I think the best approach for now would be that:
> >
> > Add two new context options for the "ssl" wrapper:
> > "insecure_allow_md5_signature" and "insecure_allow_sha1_signature". They
> > will both default to false starting in PHP 7.2 while the backports to
> PHP 7.1 and
> > 7.0 will default to true. Additionally there will be two INI options
> which are only
> > added to PHP 7.1 and 7.0 to allow people to immediately upgrade to secure
> > defaults without any risk of breaking other apps.
> >
> Same as Ferenc, I couldn't find anything in other languages but this about
> Java http://openjdk.java.net/jeps/288 . Seems a well thought approach and
> your suggestion about the stream context is similar.
>

I asked in #python-dev on Freenode yesterday. The response I got was that
it's something on the TODO list, but they don't see it as high priority and
the person I talked to said it would only be a defense-in-depth, which it
is not, it's a vulnerability.


> Probably it is the minimum, whereby the JDK has more flexible options and
> more constraints, which might be too flexible for us.Anyway, users are more
> in control about more details, in PHP we still hide many details. For
> example, consider things like `RSA keySize < 1024`, it is solvable in PHP
> with the stream context option, but hardly through INI. And this one is fun
> `SHA1 usage SignedJAR & denyAfter 2017-01-01`, too.
>

Regards, Niklas

--001a1134f6cce94eeb05538200d0--