On Sat, Nov 26, 2016 at 3:49 PM, Niklas Keller <m...@kelunik.com> wrote:
> Morning Internals, > > I plan to distrust SHA-1 certificates by default in PHP 7.2. All major > browsers will no longer trust SHA-1 certificates starting already > 2017-01-01. > > Unfortunately, PHP doesn't even provide a way yet to limit the accepted > algorithms for certificates. The RFC fixes that and introduces new defaults > for PHP 7.2. The "signature_algorithms" context option will also be > backported to PHP 5.6, which is only supported until the end of 2016 with > regular releases, but after that there will be two more years of > security-only updates. Therefore I'd like to get this done before the end > of 2016. > > Currently the RFC aims for BC and doesn't restrict the algorithms on older > versions. As all major browsers start distrusting those certificates on > 2017-01-01 I'm not sure whether that's the correct choice. I'd like to go > secure-by-default there and disable SHA-1 also on older versions. People > which really need longer can always opt-out and add the needed algorithms > again. Unfortunately, we didn't announce any plans regarding SHA-1 yet, so > this might be a bit last-minute. > > You can read the full RFC in the wiki: > https://wiki.php.net/rfc/distrust-sha1-certificates > > I think you should change the format to match the one supported by OpenSSL [1] which is also simpler. In general I'm not a big fan of such defaults especially when new values can be added later (e.g. EdDSA that is specified in TLS 1.3) so we have to keep it up to date which was kind of issue in the past. However I see the point that we should make it easier for users to have it secure by default so it's probably a good choice. It's not actually just about SHA I'm not so sure about 5.6 as we are very close to the end of active support and if this introduces any bug, we won't be able to fix it. It would be also motivation for some users to update to 7. [1] https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set1_sigalgs_list.html [2] Cheers Jakub
