Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99754 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 21559 invoked from network); 5 Jul 2017 07:43:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Jul 2017 07:43:03 -0000 Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.216 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.216 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.216] ([81.169.146.216:22207] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9C/78-15131-5889C595 for ; Wed, 05 Jul 2017 03:43:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1499240579; l=4693; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To: MIME-Version; bh=Ua+iAfVhny0YHJ50HUTJBwWzMjD6OunnSKcnwV5eVt4=; b=L1jShKVVlnFddMLjbPH4t/ZZHBTk8MkXp0knBGev+Kf+2mtjqHdRVEa6yTesZcV9hb s9Jx0ylSfRWlPG9rD7w2oQ7m5iwo+5mSMMBnBGQbK10X/cd8agAgCQa6aIcUrvCmgPK0 609w9MTxTlOn+ENE1y0wTvqm8RYzxbRH0HgEA= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNHBqT83Q== X-RZG-CLASS-ID: mo00 Received: by mail-oi0-f54.google.com with SMTP id 191so93039366oii.2 for ; Wed, 05 Jul 2017 00:42:59 -0700 (PDT) X-Gm-Message-State: AIVw11006ALwWHrNI9kuDTTJgLf7y0JZM1c37pVEFZVqRadp1Qwutzx9 e9Z5bxA4j9Y+j0T8dA5I/oW4hTzg+w== X-Received: by 10.202.206.131 with SMTP id e125mr3977582oig.168.1499240578337; Wed, 05 Jul 2017 00:42:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.81.135 with HTTP; Wed, 5 Jul 2017 00:42:57 -0700 (PDT) In-Reply-To: References: Date: Wed, 5 Jul 2017 09:42:57 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Anatol Belski Cc: Sara Golemon , Jakub Zelenka , PHP Internals Content-Type: multipart/alternative; boundary="001a113d30b61affaa05538d26db" Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates From: me@kelunik.com (Niklas Keller) --001a113d30b61affaa05538d26db Content-Type: text/plain; charset="UTF-8" > > > But the RFC is what you wrote about some days ago. Anything I told > is > > based on the RFC and the previous conversations. My understanding was, > that > > you were intended to push the exact RFC to vote. If you tell now there's > no > > approach and the RFC has to be ignored, then it doesn't help. If there's > another > > approach, so please present it. > > > > > > Nobody wants to backport OpenSSL's implementation, so I don't see the > viability > > of supporting `auth_level`. > > > > I've outlined my current suggestion several mails ago: > > > > ----- > > I think the best approach for now would be that: > > > > Add two new context options for the "ssl" wrapper: > > "insecure_allow_md5_signature" and "insecure_allow_sha1_signature". They > > will both default to false starting in PHP 7.2 while the backports to > PHP 7.1 and > > 7.0 will default to true. Additionally there will be two INI options > which are only > > added to PHP 7.1 and 7.0 to allow people to immediately upgrade to secure > > defaults without any risk of breaking other apps. > > ----- > Ok, so that's where the cat catches its tail. If there are both INI and > wrapper options, doing the same, it were excessive. Say, if the context > option has to be integrated anyway, why INI? Otherwise, if INI is supposed > to provide same separately, without touching the code - why bother with > stream context? Or in further, if the INI is supposed to be ignored in 7.2, > then the code still has to be changed. The more complicated, the more > inconsistent. > If we choose to block SHA1 and MD5 certificates by default in 7.0 / 7.1, then we don't need the INI option. But if you decide it's not acceptable as an important security fix, then I definitely want a way to secure all applications at once with a configuration change instead of having to change each and every application to set a default stream context option. Regards, Niklas --001a113d30b61affaa05538d26db--