Morning Internals, I have updated the RFC to use a "min_signature_bits" setting instead.
Please share your thoughts. https://wiki.php.net/rfc/distrust-sha1-certificates Regards, Niklas 2016-11-26 16:49 GMT+01:00 Niklas Keller <m...@kelunik.com>: > Morning Internals, > > I plan to distrust SHA-1 certificates by default in PHP 7.2. All major > browsers will no longer trust SHA-1 certificates starting already > 2017-01-01. > > Unfortunately, PHP doesn't even provide a way yet to limit the accepted > algorithms for certificates. The RFC fixes that and introduces new defaults > for PHP 7.2. The "signature_algorithms" context option will also be > backported to PHP 5.6, which is only supported until the end of 2016 with > regular releases, but after that there will be two more years of > security-only updates. Therefore I'd like to get this done before the end > of 2016. > > Currently the RFC aims for BC and doesn't restrict the algorithms on older > versions. As all major browsers start distrusting those certificates on > 2017-01-01 I'm not sure whether that's the correct choice. I'd like to go > secure-by-default there and disable SHA-1 also on older versions. People > which really need longer can always opt-out and add the needed algorithms > again. Unfortunately, we didn't announce any plans regarding SHA-1 yet, so > this might be a bit last-minute. > > You can read the full RFC in the wiki: https://wiki.php.net/ > rfc/distrust-sha1-certificates > > Regards, Niklas >
