Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99748 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81500 invoked from network); 4 Jul 2017 21:13:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jul 2017 21:13:52 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.161 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.161 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.161] ([81.169.146.161:18197] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 55/64-15131-F050C595 for ; Tue, 04 Jul 2017 17:13:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1499202829; l=2835; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To: MIME-Version; bh=VzK3bi4BLoZvMb3CwplgcsNNmVRlyLz7VIQjXgZrC3U=; b=jp1GYyD7V19vdKJEkak7senvsQSEevrj7F/db9u+2s5xDsCj8OA0QMokC+p1g22FLR TIetqJsPPjogjtBNcre1v9zPLzTLwb+VkCHRx80If6lXVf9uaiyKutAR65iK8s9gjfdG QuVsL4hYpQdAo5s3OCVeUVXgso5OktMt1MRxQ= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNHBqT63Q== X-RZG-CLASS-ID: mo00 Received: by mail-oi0-f52.google.com with SMTP id x187so54070945oig.3 for ; Tue, 04 Jul 2017 14:13:49 -0700 (PDT) X-Gm-Message-State: AKS2vOwGtlIf6J8lRgV0EUGOCglAbL2qx47hM0xqkxLQA8Brlh07KXu+ MWJajFMeofdOR1Y0fqtBnMfcm7E/0Q== X-Received: by 10.202.106.6 with SMTP id f6mr21440025oic.85.1499202828664; Tue, 04 Jul 2017 14:13:48 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.81.135 with HTTP; Tue, 4 Jul 2017 14:13:48 -0700 (PDT) In-Reply-To: References: Date: Tue, 4 Jul 2017 23:13:48 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Anatol Belski Cc: Sara Golemon , Jakub Zelenka , PHP Internals Content-Type: multipart/alternative; boundary="001a1141b11a0c8e0f0553845c61" Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates From: me@kelunik.com (Niklas Keller) --001a1141b11a0c8e0f0553845c61 Content-Type: text/plain; charset="UTF-8" > > But the RFC is what you wrote about some days ago. Anything I told is > based on the RFC and the previous conversations. My understanding was, that > you were intended to push the exact RFC to vote. If you tell now there's no > approach and the RFC has to be ignored, then it doesn't help. If there's > another approach, so please present it. Nobody wants to backport OpenSSL's implementation, so I don't see the viability of supporting `auth_level`. I've outlined my current suggestion several mails ago: ----- I think the best approach for now would be that: Add two new context options for the "ssl" wrapper: "insecure_allow_md5_signature" and "insecure_allow_sha1_signature". They will both default to false starting in PHP 7.2 while the backports to PHP 7.1 and 7.0 will default to true. Additionally there will be two INI options which are only added to PHP 7.1 and 7.0 to allow people to immediately upgrade to secure defaults without any risk of breaking other apps. ----- Regards, Niklas --001a1141b11a0c8e0f0553845c61--