Hi, > -----Original Message----- > From: Niklas Keller [mailto:m...@kelunik.com] > Sent: Monday, July 3, 2017 8:12 PM > To: Sara Golemon <poll...@php.net> > Cc: Anatol Belski <weltl...@outlook.de>; Jakub Zelenka <bu...@php.net>; PHP > Internals <internals@lists.php.net> > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates > > 2017-07-03 19:24 GMT+02:00 Sara Golemon <poll...@php.net > <mailto:poll...@php.net> >: > > > On Mon, Jul 3, 2017 at 1:12 PM, Niklas Keller <m...@kelunik.com > <mailto:m...@kelunik.com> > wrote: > > Additionally there will be two INI options > > which are only added to PHP 7.1 and 7.0 to allow people to > immediately > > upgrade to secure defaults without any risk of breaking other apps. > > > I understand what you're going for there, but it's just a bit weird to > have that INI option exist for a weird pair of version ranges and not > forward. I'd say keep the INI in 7.2 and (perhaps) mark them > deprecated. There's no sense making that upgrade path unreasonably > difficult. > > > > True, but I'd like it to be an INI option to strengthen the security, but not > allow > to weaken it. You really shouldn't use MD5 or SHA1 for TLS certificates 2018 > (!). > If you really need it there, you can still set a default stream context > option, but > we won't clutter the INI options of future versions. > An INI option doesn't seem necessary. If there's a stream context option, the existing code has to be touched. Those who do it, know what they do. Same as with the other issue about TLS - stable branches, that have active users already, we shouldn't enforce the change, but just offer it.
I'd be also against an INI option in the sense it's being suggested, because it would be not useful in 7.2 and above. As you mention also, they may have the reverse effect in 7.2. The current RFC doesn't mention any INI, and I think it's too much inconsistency having both ini and stream context. As linked in the other mail, what we could do is introduce INI options only, Java alike, that would control the behavior same way in every branch. As much as almost no one likes new INI options, it would mean likely no backport were required. A stream context option sounds more plausible and future oriented to me, however. Regards Anatol -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
