FYI, these are things I plan to work on for the post-5.6 timeframe:
- Support for SNI in servers (currently only supported by clients)
- Support for DTLS (datagram client/server encryption)
- Mitigating the client-initiated renegotiation DoS vector in TLS servers
Most TLS changes could probably pass as "security fixes" and may be
feasible for 5.6 bugfix releases. The alternative is obviously to put them
in master and wait for 5.7. In any case we can cross that bridge when we
get there.
If people have other ideas/suggestions (or want to help) just let me know.
Daniel
Hi Daniel,
FYI, these are things I plan to work on for the post-5.6 timeframe:
- Support for SNI in servers (currently only supported by clients)
- Support for DTLS (datagram client/server encryption)
- Mitigating the client-initiated renegotiation DoS vector in TLS servers
Most TLS changes could probably pass as "security fixes" and may be
feasible for 5.6 bugfix releases. The alternative is obviously to put them
in master and wait for 5.7. In any case we can cross that bridge when we
get there.
I'd support the renegotiation DOS vector as a current bugfix - it's
been documented for what, 2 years now since a POC was published?
Paddy
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative
Hi all,
On Wed, Feb 12, 2014 at 10:39 PM, Pádraic Brady padraic.brady@gmail.comwrote:
FYI, these are things I plan to work on for the post-5.6 timeframe:
- Support for SNI in servers (currently only supported by clients)
- Support for DTLS (datagram client/server encryption)
- Mitigating the client-initiated renegotiation DoS vector in TLS servers
Most TLS changes could probably pass as "security fixes" and may be
feasible for 5.6 bugfix releases. The alternative is obviously to put
them
in master and wait for 5.7. In any case we can cross that bridge when we
get there.I'd support the renegotiation DOS vector as a current bugfix - it's
been documented for what, 2 years now since a POC was published?
I'm getting used to delayed security fixes...
+1 for fix it ASAP.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
On Wed, Feb 12, 2014 at 10:39 PM, Pádraic Brady padraic.brady@gmail.comwrote:
FYI, these are things I plan to work on for the post-5.6 timeframe:
- Support for SNI in servers (currently only supported by clients)
- Support for DTLS (datagram client/server encryption)
- Mitigating the client-initiated renegotiation DoS vector in TLS
serversMost TLS changes could probably pass as "security fixes" and may be
feasible for 5.6 bugfix releases. The alternative is obviously to put
them
in master and wait for 5.7. In any case we can cross that bridge when we
get there.I'd support the renegotiation DOS vector as a current bugfix - it's
been documented for what, 2 years now since a POC was published?I'm getting used to delayed security fixes...
+1 for fix it ASAP.
To interested parties ...
Because it's a security vulnerability for encrypted stream servers I've
taken care of client-initiated renegotiation DoS mitigation and merged it
for 5.6:
https://github.com/php/php-src/pull/600
The implementation uses a standard leaky bucket rate-limiting approach. If
you'd like to know more just click over to the PR link above.