Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99878
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43631 invoked from network); 17 Jul 2017 07:58:58 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jul 2017 07:58:58 -0000
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.161 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.161 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.161] ([81.169.146.161:20293] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A1/F1-29457-E3E6C695 for <internals@lists.php.net>; Mon, 17 Jul 2017 03:58:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1500278331;
	l=3780; s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To:
	MIME-Version;
	bh=Vcr8b6wMGMJXn1IHhOrVrg9FCcWSc28kuXt7tFu7KYg=;
	b=m5AMpC893kjSyRBtP0aTWytqCCEypJEDfj66SI1Yn0WemQQERDxR3sNMjqGqmTzq9N
	IH7FYYIW9haIBtrh72sMIEYScGlfG2kLtAqCeahBMuaCdVTj2wEMgDIvcRYXcYvrIBcC
	QOOujMVuUacc1bj6oSlnKfEMw16ac/UKXNpDU=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNHBqX73Q==
X-RZG-CLASS-ID: mo00
Received: by mail-oi0-f43.google.com with SMTP id 191so111576271oii.2
        for <internals@lists.php.net>; Mon, 17 Jul 2017 00:58:51 -0700 (PDT)
X-Gm-Message-State: AIVw110LIbVNzqDjaZmXJu3V3CYVwaz7dL3+0MSaRVfrMA8OqPMsHapd
	WQa+aF7M+BkztaGHCf6jK+OZY13r6w==
X-Received: by 10.202.227.193 with SMTP id a184mr13516310oih.121.1500278330583;
 Mon, 17 Jul 2017 00:58:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.154.177 with HTTP; Mon, 17 Jul 2017 00:58:49 -0700 (PDT)
In-Reply-To: <HE1PR02MB10527C685899CB2A34EBB1AEBAAC0@HE1PR02MB1052.eurprd02.prod.outlook.com>
References: <CANUQDCiUYNwH_tkZyS_cbWVa1X=4CAA3_14VD+fYjAXk-JU=1g@mail.gmail.com>
 <CANUQDChzB7EYyx8QOPgDC2TPR7n-h-dK43tHDfTZ=ocHPLHSOQ@mail.gmail.com>
 <CAEKnhAH8eGzcUsWODc75_L1kq4OtF2bvR7qJkijWWSVoY7c_mQ@mail.gmail.com>
 <CANUQDChVGuF1rrG3+AVTT+pp0nEmDw7MXyGGX7nVbQ42Kpgytw@mail.gmail.com>
 <CAEKnhAH78Uey_Tp43UY+AVaADi-ckvtBW9EqsuKTj8iDfK+AGQ@mail.gmail.com>
 <CANUQDCivjqg_NN+Zr_ZWWxh8mQyV3JVi1JDSY-ymVoc8ZKyR6w@mail.gmail.com>
 <HE1PR02MB1052A742CD23C1CA9DF54F6EBAD60@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <CANUQDChRXr3FB+fa7744KaBBvawQ+QhLn8z46qAaAdU85pxtbw@mail.gmail.com>
 <CAESVnVoO-Pe+SQeCn1gywQaZA4z4nL7Mtq+7PwYWeAbP=3juZQ@mail.gmail.com>
 <CANUQDChhO7A6by5tcimeEobaP-4k1TRsm4sXh75=K2sCi5HzHQ@mail.gmail.com>
 <HE1PR02MB105234EBBCC3B38F2D5105B3BAD70@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <CANUQDChnN1Mi6E-EUPgFkr5muHCkQt7xDA5F8oy5h2Cxph6Q3w@mail.gmail.com>
 <HE1PR02MB1052F972CF1C581D0A38EB76BAD70@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <CANUQDChUwSWmXj4ddsTs8Zqbvku3bVQJBGc2605Zxysg+NgO+Q@mail.gmail.com>
 <HE1PR02MB105289B5F24BE29088A82C72BAD70@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <CANUQDChcHqbmhbb3H9c10a=DE3Smm3aagOCFd+8dx4NyMPaLGA@mail.gmail.com>
 <HE1PR02MB1052BB64ED18F8AEF2B6B701BAD40@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <CANUQDCgQj6AsGLUAwfPYwhLA+4mbZNRkdmVh2-Ms45q8Suuk9w@mail.gmail.com>
 <HE1PR02MB1052F6DCE13BFC510F92E0E7BAD50@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <HE1PR02MB10525C8674C3C8655DA0F844BAA90@HE1PR02MB1052.eurprd02.prod.outlook.com>
 <CAEKnhAEdo69u1gnuNX3OvM-1XayOeHqJCbE9f21GGCf+i-Nfww@mail.gmail.com>
 <CANUQDCjE9cj+jGWTnZRYHZwQfxMLF3w-4nA6YHoKn2Q_vJwGjQ@mail.gmail.com> <HE1PR02MB10527C685899CB2A34EBB1AEBAAC0@HE1PR02MB1052.eurprd02.prod.outlook.com>
Date: Mon, 17 Jul 2017 09:58:49 +0200
X-Gmail-Original-Message-ID: <CANUQDChHAp8-QQL1bBoR9SqaZVoHZ-2qFGxErr1ij07SnSPhag@mail.gmail.com>
Message-ID: <CANUQDChHAp8-QQL1bBoR9SqaZVoHZ-2qFGxErr1ij07SnSPhag@mail.gmail.com>
To: Anatol Belski <weltling@outlook.de>
Cc: Jakub Zelenka <bukka@php.net>, Sara Golemon <pollita@php.net>, 
	PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a1141729cf57d6005547ec434"
Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
From: me@kelunik.com (Niklas Keller)

--001a1141729cf57d6005547ec434
Content-Type: text/plain; charset="UTF-8"

>
> Hi,
>
> >       After reading related discussion on openssl-users [1], I'm not so
> sure if
> >       we should be doing that at all...
> >
> >       Especially I agree with this bit:
> >
> >       "Making your code more complex is a far higher risk than a
> practical
> >       certificate forgery based on a collision attack on SHA-1. "
> >
> >       The only thing, that makes sense IMHO would be adding support for
> > setting
> >       security level only for OpenSSL 1.1.
> >
> >       [1]
> >       http://openssl.6102.n7.nabble.com/Rejecting-SHA-1-certificates-
> > td71439.html <http://openssl.6102.n7.nabble.com/Rejecting-SHA-1-
> > certificates-td71439.html>
> >
> >
> > Same here actually. While it's trivial to implement with OpenSSL 1.1,
> it's non-
> > trivial before, because there's no API to get the trusted chain AFAIK,
> so we
> > would indeed have to do this inside verify_callback.
> >
> Thanks for the responses and for the discussion link. With that, the
> situation is simplified a lot. This allows for a better conceived patch and
> there's obviously no strong reason to touch the stable branches.
>
> Thanks.
>
> Anatol
>

@Jakub: Do we want to expose "auth_level" then in case PHP is linked
against OpenSSL 1.1.0+?

Regards, Niklas

--001a1141729cf57d6005547ec434--