Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99882 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 70635 invoked from network); 17 Jul 2017 16:50:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Jul 2017 16:50:46 -0000 Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.171 as permitted sender) X-PHP-List-Original-Sender: jakub.php@gmail.com X-Host-Fingerprint: 209.85.161.171 mail-yw0-f171.google.com Received: from [209.85.161.171] ([209.85.161.171:34393] helo=mail-yw0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FE/40-02884-4EAEC695 for ; Mon, 17 Jul 2017 12:50:44 -0400 Received: by mail-yw0-f171.google.com with SMTP id l21so49836965ywb.1 for ; Mon, 17 Jul 2017 09:50:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=aj98x8+eGNwSz0mXbZ4jfZ53DJzyTkmknnwXtwDLGBU=; b=HLOtbxuGgZ7Gx+AN/VbsaaH3KBLfOQv+lFmbbKKANUO22ZnRFvLKCR2cZT+40D01M9 yn4DSjJDlzo0dJomDlZpnygLrSd6qJUykFFLbMmvzPAg1CI7mLC+vR40U9X/2NW4MZX5 0DO/wkr+D9Ah14cqxHsU1cBAqx/etCfKF9nW0kNh9rOOiDR4YQbgMsIT0pquYVaRlhk2 5hssMIIiwLW1GqJdDxeq1jTHsSoVPKfmXBzDdoIpTSq+9Iyt7kLiguUN0n5ExKBHV0am Ieg52Kfgi16BPcDjEZbzinDvz+FQ8pxR7PtXsF2ZH72oeR/hQVRuNaunkf+ucne2d4rc atSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=aj98x8+eGNwSz0mXbZ4jfZ53DJzyTkmknnwXtwDLGBU=; b=tj1CHPserhZ751PaNCqfeUsu+F1KXl/ommUJ5XpQ0CbZLdyZmXB5KoYR2Bylv6JWm7 FEUVp9BupW8ReieEs4MKGSQ0pNCutS6F9RA68cpTKskhBuMHIjttmAwZMsbVAnzS6IHE k1LUm4WkR8gEKoS82f5ZaUZHGNL1tRsjKdS4P60uuwxbTzJJJCv1BtqHxhq02W2Z2JAt 0//0D5VHZRYqv0TcSAFvn6Qy9Fvc79AjNim1UZoiyP2B9MhWdSixt0m+fhZeadrMsZnj Up1oTQ5yg3umUvyFDNigkc/ssI76w4p8X4Kq7YzCq5HyyuMfya0e7IbmlXfXSLxuB5Ny M3og== X-Gm-Message-State: AIVw113P7LQuSRGS0dCF4qejuwQOfbq+u3TWY72uu3HoBvpocntByySV swMDKDeYr9mVjArd2IMA+YZkn62YGA== X-Received: by 10.13.239.69 with SMTP id y66mr16651150ywe.231.1500310241867; Mon, 17 Jul 2017 09:50:41 -0700 (PDT) MIME-Version: 1.0 Sender: jakub.php@gmail.com Received: by 10.129.116.135 with HTTP; Mon, 17 Jul 2017 09:50:41 -0700 (PDT) In-Reply-To: References: Date: Mon, 17 Jul 2017 17:50:41 +0100 X-Google-Sender-Auth: 9226LpDNtC2njFIElhHJXYQ5vWk Message-ID: To: Niklas Keller Cc: Anatol Belski , Sara Golemon , PHP Internals Content-Type: multipart/alternative; boundary="94eb2c0336e80500fe05548633e9" Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates From: bukka@php.net (Jakub Zelenka) --94eb2c0336e80500fe05548633e9 Content-Type: text/plain; charset="UTF-8" Hey, On Mon, Jul 17, 2017 at 8:58 AM, Niklas Keller wrote: > Hi, >> >> > After reading related discussion on openssl-users [1], I'm not so >> sure if >> > we should be doing that at all... >> > >> > Especially I agree with this bit: >> > >> > "Making your code more complex is a far higher risk than a >> practical >> > certificate forgery based on a collision attack on SHA-1. " >> > >> > The only thing, that makes sense IMHO would be adding support for >> > setting >> > security level only for OpenSSL 1.1. >> > >> > [1] >> > http://openssl.6102.n7.nabble.com/Rejecting-SHA-1-certificates- >> > td71439.html > > certificates-td71439.html> >> > >> > >> > Same here actually. While it's trivial to implement with OpenSSL 1.1, >> it's non- >> > trivial before, because there's no API to get the trusted chain AFAIK, >> so we >> > would indeed have to do this inside verify_callback. >> > >> Thanks for the responses and for the discussion link. With that, the >> situation is simplified a lot. This allows for a better conceived patch and >> there's obviously no strong reason to touch the stable branches. >> >> Thanks. >> >> Anatol >> > > @Jakub: Do we want to expose "auth_level" then in case PHP is linked > against OpenSSL 1.1.0+? > > > I just pushed support for security_level [1] which is more comprehensive and the patch is also very simple. Apology for such last minute addition but I felt that it is really useful for 7.2 and I have already messaged about that and haven't heard any objections. Of course if anyone feels strongly against it, I will be happy to reconsider it. Cheers Jakub --94eb2c0336e80500fe05548633e9--