2017-07-04 13:33 GMT+02:00 Anatol Belski <weltl...@outlook.de>: > Hi, > > > -----Original Message----- > > From: Niklas Keller [mailto:m...@kelunik.com] > > Sent: Monday, July 3, 2017 8:12 PM > > To: Sara Golemon <poll...@php.net> > > Cc: Anatol Belski <weltl...@outlook.de>; Jakub Zelenka <bu...@php.net>; > PHP > > Internals <internals@lists.php.net> > > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates > > > > 2017-07-03 19:24 GMT+02:00 Sara Golemon <poll...@php.net > > <mailto:poll...@php.net> >: > > > > > > On Mon, Jul 3, 2017 at 1:12 PM, Niklas Keller <m...@kelunik.com > > <mailto:m...@kelunik.com> > wrote: > > > Additionally there will be two INI options > > > which are only added to PHP 7.1 and 7.0 to allow people to > > immediately > > > upgrade to secure defaults without any risk of breaking other > apps. > > > > > I understand what you're going for there, but it's just a bit > weird to > > have that INI option exist for a weird pair of version ranges and > not > > forward. I'd say keep the INI in 7.2 and (perhaps) mark them > > deprecated. There's no sense making that upgrade path unreasonably > > difficult. > > > > > > > > True, but I'd like it to be an INI option to strengthen the security, > but not allow > > to weaken it. You really shouldn't use MD5 or SHA1 for TLS certificates > 2018 (!). > > If you really need it there, you can still set a default stream context > option, but > > we won't clutter the INI options of future versions. > > > An INI option doesn't seem necessary. If there's a stream context option, > the existing code has to be touched. Those who do it, know what they do. > Same as with the other issue about TLS - stable branches, that have active > users already, we shouldn't enforce the change, but just offer it. >
The issue without INI option is that it requires a code change. We can't just tell people "better apply this configuration change to have secure TLS". I'd definitely want this to be enabled _everywhere_. > I'd be also against an INI option in the sense it's being suggested, > because it would be not useful in 7.2 and above. As you mention also, they > may have the reverse effect in 7.2. We can prevent the reverse effect by ignoring it if it has bad security effects. > The current RFC doesn't mention any INI, and I think it's too much > inconsistency having both ini and stream context. Forget about everything that's in the RFC about the actual implementation. It's an older idea that needs to be updated based on what's suggested and seems acceptable. > As linked in the other mail, what we could do is introduce INI options > only, Java alike, that would control the behavior same way in every branch. > As much as almost no one likes new INI options, it would mean likely no > backport were required. You still need to backport it then. > A stream context option sounds more plausible and future oriented to me, > however. Regards, Niklas
