Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99769
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 68004 invoked from network); 5 Jul 2017 16:14:14 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Jul 2017 16:14:14 -0000
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.172 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.213.172 mail-yb0-f172.google.com  
Received: from [209.85.213.172] ([209.85.213.172:33935] helo=mail-yb0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 49/5F-15131-4501D595 for <internals@lists.php.net>; Wed, 05 Jul 2017 12:14:13 -0400
Received: by mail-yb0-f172.google.com with SMTP id e201so73743393ybb.1
        for <internals@lists.php.net>; Wed, 05 Jul 2017 09:14:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=11Fmp25KTHvMO2AeGEkYG03bem2lQ3iiWqmpZLMbKbA=;
        b=iAq/f+4yep/v81umfSn6SLmZcoWuUPax9vNeIL3R8zNnPBPcrU9c5szeo7qDH5wDEL
         M3AcMglIx9MiPK7oyejB1GYqmhuHtcm5BMxXibHk7rKsJh+Jvy7vh2Yyk+ZPqDpHkQ/O
         7pWq04TdCuH8q/LjhtD8RDOggNT0jl7Cyil3K+G3b0xmhqheIdS0X6gUI0wJ+H6w8i+y
         xk5aIVRNi339dz4Oa+QPGShAhpo7CAaVk9QMfqc+r4RaINrTPodGmXup04jLNziX6p2j
         CvXk4wrC0vbt1bUxytnr9RxoXeHuCE2C8245jF8tYdDMvws6mljXmPHojMcosWI+SZtP
         gK5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=11Fmp25KTHvMO2AeGEkYG03bem2lQ3iiWqmpZLMbKbA=;
        b=TvpfVUqDh5VmnyOwB3MTp5Wy77eFOVqZu2TWLvEMNwJTTtgH951cIjtlqiqjmrIHdF
         6dz4rp+mXKFCXAPL7CwdnoLb1TWrN5DfVzjHXaGOZ7XZ/2s6cnwRc82S2m+9t62n/X9Z
         +5AFd9dfV0nT2CmR/t7pds6GxmmrAp/UZDJPVTzrf3+7NsA+L1sKGfmuX383n/7U+a8A
         t4lcMA3yaFTZwOgQwjmIwSiaaocZt9wss5BDBrO/rv/KZ1Js8HbQ0PjVzMVjC53bAWzc
         piqYTiH//F2jNxD1b7VS9wV6DS/kgih8TWvcJoLaHmxcKxm25OJ78k29v4u4YwSRYEGu
         G3/w==
X-Gm-Message-State: AKS2vOzSD3KnjQU9s1+buG2eMO+9ITPQT+UALYqi12aydtcjqBVlnKfF
	pYXgvPP/4OT4NfHqUABq7SVphHIErg==
X-Received: by 10.37.170.141 with SMTP id t13mr38207067ybi.230.1499271249846;
 Wed, 05 Jul 2017 09:14:09 -0700 (PDT)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.129.85.194 with HTTP; Wed, 5 Jul 2017 09:14:09 -0700 (PDT)
In-Reply-To: <HE1PR02MB1052E6FD18A953663BDD7146BAD40@HE1PR02MB1052.eurprd02.prod.outlook.com>
References: <CANUQDCiUYNwH_tkZyS_cbWVa1X=4CAA3_14VD+fYjAXk-JU=1g@mail.gmail.com>
 <CANUQDChzB7EYyx8QOPgDC2TPR7n-h-dK43tHDfTZ=ocHPLHSOQ@mail.gmail.com>
 <CAEKnhAH8eGzcUsWODc75_L1kq4OtF2bvR7qJkijWWSVoY7c_mQ@mail.gmail.com>
 <CANUQDChVGuF1rrG3+AVTT+pp0nEmDw7MXyGGX7nVbQ42Kpgytw@mail.gmail.com>
 <CAEKnhAH78Uey_Tp43UY+AVaADi-ckvtBW9EqsuKTj8iDfK+AGQ@mail.gmail.com>
 <CANUQDCivjqg_NN+Zr_ZWWxh8mQyV3JVi1JDSY-ymVoc8ZKyR6w@mail.gmail.com>
 <HE1PR02MB1052A742CD23C1CA9DF54F6EBAD60@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <CANUQDChRXr3FB+fa7744KaBBvawQ+QhLn8z46qAaAdU85pxtbw@mail.gmail.com>
 <CAESVnVoO-Pe+SQeCn1gywQaZA4z4nL7Mtq+7PwYWeAbP=3juZQ@mail.gmail.com>
 <CANUQDChhO7A6by5tcimeEobaP-4k1TRsm4sXh75=K2sCi5HzHQ@mail.gmail.com>
 <HE1PR02MB105234EBBCC3B38F2D5105B3BAD70@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <CANUQDChnN1Mi6E-EUPgFkr5muHCkQt7xDA5F8oy5h2Cxph6Q3w@mail.gmail.com>
 <HE1PR02MB1052F972CF1C581D0A38EB76BAD70@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <CANUQDChUwSWmXj4ddsTs8Zqbvku3bVQJBGc2605Zxysg+NgO+Q@mail.gmail.com>
 <CAEKnhAGiM1+G1P1B-tfn4SGDTHfAi6nh8sO7yyWKeFxHsBcvHQ@mail.gmail.com> <HE1PR02MB1052E6FD18A953663BDD7146BAD40@HE1PR02MB1052.eurprd02.prod.outlook.com>
Date: Wed, 5 Jul 2017 17:14:09 +0100
X-Google-Sender-Auth: dbkKFd1a6GafzOgowUrQ_TYA1PY
Message-ID: <CAEKnhAHKue63yojyvVqX+qX2rmntT6Cy+Nv8im5KM-K42W4pbQ@mail.gmail.com>
To: Anatol Belski <weltling@outlook.de>
Cc: Niklas Keller <me@kelunik.com>, Sara Golemon <pollita@php.net>, 
	PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="94eb2c19c2ae44eaeb0553944a1a"
Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
From: bukka@php.net (Jakub Zelenka)

--94eb2c19c2ae44eaeb0553944a1a
Content-Type: text/plain; charset="UTF-8"

On Wed, Jul 5, 2017 at 2:34 PM, Anatol Belski <weltling@outlook.de> wrote:

> Hi Jakub,
>
> > -----Original Message-----
> > From: jakub.php@gmail.com [mailto:jakub.php@gmail.com] On Behalf Of
> Jakub
> > Zelenka
> > Sent: Wednesday, July 5, 2017 3:24 PM
> > To: Niklas Keller <me@kelunik.com>
> > Cc: Anatol Belski <weltling@outlook.de>; Sara Golemon <pollita@php.net>;
> PHP
> > Internals <internals@lists.php.net>
> > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
> >
> > Hi,
> >
> >
> > On Tue, Jul 4, 2017 at 10:13 PM, Niklas Keller <me@kelunik.com
> > <mailto:me@kelunik.com> > wrote:
> >
> >
> >
> >
> >               But the RFC is what you wrote about some days ago.
> Anything I
> > told is based on the RFC and the previous conversations. My
> understanding was,
> > that you were intended to push the exact RFC to vote. If you tell now
> there's no
> > approach and the RFC has to be ignored, then it doesn't help. If there's
> another
> > approach, so please present it.
> >
> >
> >       Nobody wants to backport OpenSSL's implementation, so I don't see
> the
> > viability of supporting `auth_level`.
> >
> >
> > Backporting auth_level would be overkill but we could add a sig_level as
> I said
> > previously. It would simplify many things in the future and address
> exactly the
> > issue. Setting explicit options named by algorithm is not flexible and
> after couple
> > of years it will be just an ugly unused leftover from past...
> >
> >
> >
> >       I've outlined my current suggestion several mails ago:
> >
> >       -----
> >
> >       I think the best approach for now would be that:
> >
> >       Add two new context options for the "ssl" wrapper:
> > "insecure_allow_md5_signature" and "insecure_allow_sha1_signature". They
> > will both default to false starting in PHP 7.2 while the backports to
> PHP 7.1 and
> > 7.0 will default to true. Additionally there will be two INI options
> which are only
> > added to PHP 7.1 and 7.0 to allow people to immediately upgrade to secure
> > defaults without any risk of breaking other apps.
> >       -----
> >
> >
> >
> > I don't like adding new INI in general. It won't really help because
> people won't
> > usually set it and changing behavior in such way is not good IMHO.
> >
> > To sum it up I'd really prefer solution based on security level (in this
> case just a
> > sig_level part of it) and have it just as a context option which could be
> > backported in the following way:
> >
> > 7.0 - default to 0 (the same behavior as now to be safe)
> > 7.1 - default to 1 (80 bits of security and more - disable md5 as it
> shouldn't break
> > too many apps and at least protect against md5 signed certs).
> > 7.2 - default to 2 (SHA-1 disabled as well).
> >
> Do you think it were possible to get in time with an implementation, if
> there's an agreement?


Yep it would be a small patch so I don't see a problem with that..


> As Sara is willing to accept a fix to this even later in the cycle, and
> that could be a good chance to align all the branches. As for me, this
> approach sounds feasible from both BC and functionality POV, except one
> detail - say if in 7.2 the level is for some reason have to be set to 0
> because an app requires it, it should be possible at least for some time.
>
>
It would be a context option so app could change it when creating stream
context. I think there is no need to have a global option as this should be
specific to stream.

Cheers

Jakub

--94eb2c19c2ae44eaeb0553944a1a--