Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99761 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 50901 invoked from network); 5 Jul 2017 13:23:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Jul 2017 13:23:50 -0000 Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.174 as permitted sender) X-PHP-List-Original-Sender: jakub.php@gmail.com X-Host-Fingerprint: 209.85.213.174 mail-yb0-f174.google.com Received: from [209.85.213.174] ([209.85.213.174:36839] helo=mail-yb0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 92/8C-15131-568EC595 for ; Wed, 05 Jul 2017 09:23:49 -0400 Received: by mail-yb0-f174.google.com with SMTP id f194so12702264yba.3 for ; Wed, 05 Jul 2017 06:23:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=1TSD3uuYLuAo8S7Q7RAiekMxySFDH+5+CDiI0/RXB5U=; b=s6sqj487h7b58MRm6D4k8cUdQMr4e63rMYNB4Ee00J7edxBHi5F4RDy0aepkXNedgY NvFbMG5V/T2bauiYCGSqITv4s43a1erqMqPqjQ6MzmROANzBdXBafKZiaUeIPY+afgM4 crRnvXvwThAI71jmz/tJ2fGhC++KGRuX+StChwL2Nf6LlIBw4bAi7p/pa1HV67YAsoaM JR194vKGB+dNWgtlei7P7wofVh/KEFCoP+HaEH23366qgPSxFyghbkR/P+HCPkXAQpji n0KU1CAVNxgOULw+EpfJ81FdvQRozJiUtbDW6R+igj0QULC4/1O5Z+erAmssbNzZTxVF jKBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=1TSD3uuYLuAo8S7Q7RAiekMxySFDH+5+CDiI0/RXB5U=; b=bw1GMzlA3VuHweFV10pUa/lT1yd0OCBRaYq17ntrQNHJgYo7aOXnweL8AYzvAn6XAV cfi3kHq/b4DQL2Y6+QqEwFWr/4MzyTquF9lB9STT4+0F2lxGNwJz4QuvxzGzn7u02Wsz 6xl9o8x55NVQyRra1eMnZaUC0xwcBgO+h4fiyeiKqR2lNe7hpmols7EeWVXQsT6FJnq5 Ts0G/Ld6DKqzrYy7hIfoBpvlFzWukoZ9l1L8kwuTcncefVsRtucPUCsLvLq0FXGjPWfH HEs27Fycvd4g/mnrrlpcCxcVhcg35BTOx67JSUgYQynTZ7B7ZxLILRqeZW8zq6sesax4 Lv9g== X-Gm-Message-State: AKS2vOxaoTsmWNHWjOGPGWHMBkxNcjcyLlqd1keg+SRUh80Cazcv4QEf lvCaAXUksWEtB4PTprX9wfgq3b3PCg== X-Received: by 10.37.43.199 with SMTP id r190mr35468094ybr.118.1499261026932; Wed, 05 Jul 2017 06:23:46 -0700 (PDT) MIME-Version: 1.0 Sender: jakub.php@gmail.com Received: by 10.129.85.194 with HTTP; Wed, 5 Jul 2017 06:23:46 -0700 (PDT) In-Reply-To: References: Date: Wed, 5 Jul 2017 14:23:46 +0100 X-Google-Sender-Auth: mqYrUg8E699cGRilYOwQxF8tuCE Message-ID: To: Niklas Keller Cc: Anatol Belski , Sara Golemon , PHP Internals Content-Type: multipart/alternative; boundary="94eb2c1358f4ef9e17055391e86b" Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates From: bukka@php.net (Jakub Zelenka) --94eb2c1358f4ef9e17055391e86b Content-Type: text/plain; charset="UTF-8" Hi, On Tue, Jul 4, 2017 at 10:13 PM, Niklas Keller wrote: > But the RFC is what you wrote about some days ago. Anything I told is >> based on the RFC and the previous conversations. My understanding was, that >> you were intended to push the exact RFC to vote. If you tell now there's no >> approach and the RFC has to be ignored, then it doesn't help. If there's >> another approach, so please present it. > > > Nobody wants to backport OpenSSL's implementation, so I don't see the > viability of supporting `auth_level`. > > Backporting auth_level would be overkill but we could add a sig_level as I said previously. It would simplify many things in the future and address exactly the issue. Setting explicit options named by algorithm is not flexible and after couple of years it will be just an ugly unused leftover from past... > I've outlined my current suggestion several mails ago: > > ----- > I think the best approach for now would be that: > > Add two new context options for the "ssl" wrapper: > "insecure_allow_md5_signature" and "insecure_allow_sha1_signature". They > will both default to false starting in PHP 7.2 while the backports to PHP > 7.1 and 7.0 will default to true. Additionally there will be two INI > options which are only added to PHP 7.1 and 7.0 to allow people to > immediately upgrade to secure defaults without any risk of breaking other > apps. > ----- > > I don't like adding new INI in general. It won't really help because people won't usually set it and changing behavior in such way is not good IMHO. To sum it up I'd really prefer solution based on security level (in this case just a sig_level part of it) and have it just as a context option which could be backported in the following way: 7.0 - default to 0 (the same behavior as now to be safe) 7.1 - default to 1 (80 bits of security and more - disable md5 as it shouldn't break too many apps and at least protect against md5 signed certs). 7.2 - default to 2 (SHA-1 disabled as well). Cheers Jakub --94eb2c1358f4ef9e17055391e86b--