Hi,
It's been already proposed by Remi using PR [1] so sending it here as well.
I would like to proceed and drop SSL2 support from PHP. Effectively it
means dropping ssl2 stream as it's not already negotiated by default.
It's been dropped in OpenSSL 1.1 and we don't already support it with
1.0.2. Considering that I will be merging dropping support for 0.9.8 and
1.0.0 shortly, it leaves just 1.0.1 that would support it. Considering also
the possible security issues, I think there is no reason to keep it.
Please let me know if any objections.
[1] https://github.com/php/php-src/pull/1826
Cheers
Jakub
If we don't drop SSL2 support we might DROWN in technical debt.
This would get a massive +1 from me. (Can we consider dropping SSL3 too in
7.2?)
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises https://paragonie.com
Hi,
It's been already proposed by Remi using PR [1] so sending it here as well.
I would like to proceed and drop SSL2 support from PHP. Effectively it
means dropping ssl2 stream as it's not already negotiated by default.It's been dropped in OpenSSL 1.1 and we don't already support it with
1.0.2. Considering that I will be merging dropping support for 0.9.8 and
1.0.0 shortly, it leaves just 1.0.1 that would support it. Considering also
the possible security issues, I think there is no reason to keep it.Please let me know if any objections.
[1] https://github.com/php/php-src/pull/1826
Cheers
Jakub
If we don't drop SSL2 support we might DROWN in technical debt.
This would get a massive +1 from me. (Can we consider dropping SSL3 too in
7.2?)
I'm all for dropping it. Just to be clear though, what's the massive
technical debt we'd drown into?
Cheers
Matteo Beccati
Development & Consulting - http://www.beccati.com/
I was making a reference to the DROWN attack
If we don't drop SSL2 support we might DROWN in technical debt.
This would get a massive +1 from me. (Can we consider dropping SSL3 too
in
7.2?)I'm all for dropping it. Just to be clear though, what's the massive
technical debt we'd drown into?Cheers
Matteo Beccati
Development & Consulting - http://www.beccati.com/
Hi Jakub,
-----Original Message-----
From: jakub.php@gmail.com [mailto:jakub.php@gmail.com] On Behalf Of Jakub
Zelenka
Sent: Wednesday, July 13, 2016 9:11 PM
To: PHP internals list internals@lists.php.net
Subject: [PHP-DEV] Dropping SSL2 in 7.1Hi,
It's been already proposed by Remi using PR [1] so sending it here as well.
I would like to proceed and drop SSL2 support from PHP. Effectively it means
dropping ssl2 stream as it's not already negotiated by default.It's been dropped in OpenSSL 1.1 and we don't already support it with 1.0.2.
Considering that I will be merging dropping support for 0.9.8 and
1.0.0 shortly, it leaves just 1.0.1 that would support it. Considering also the
possible security issues, I think there is no reason to keep it.Please let me know if any objections.
To be mentioned, even the currently active OpenSSL branches disable SSLv2 by default nowadays. Here's the info https://openssl.org/news/secadv/20160301.txt
Regards
Anatol
Hi,
It's been already proposed by Remi using PR [1] so sending it here as
well. I would like to proceed and drop SSL2 support from PHP. Effectively
it means dropping ssl2 stream as it's not already negotiated by default.It's been dropped in OpenSSL 1.1 and we don't already support it with
1.0.2. Considering that I will be merging dropping support for 0.9.8 and
1.0.0 shortly, it leaves just 1.0.1 that would support it. Considering also
the possible security issues, I think there is no reason to keep it.Please let me know if any objections.
[1] https://github.com/php/php-src/pull/1826
Cheers
The PR has been merged and SSL2 dropped for PHP 7.1