> > But the RFC is what you wrote about some days ago. Anything I told is > based on the RFC and the previous conversations. My understanding was, that > you were intended to push the exact RFC to vote. If you tell now there's no > approach and the RFC has to be ignored, then it doesn't help. If there's > another approach, so please present it.
Nobody wants to backport OpenSSL's implementation, so I don't see the viability of supporting `auth_level`. I've outlined my current suggestion several mails ago: ----- I think the best approach for now would be that: Add two new context options for the "ssl" wrapper: "insecure_allow_md5_signature" and "insecure_allow_sha1_signature". They will both default to false starting in PHP 7.2 while the backports to PHP 7.1 and 7.0 will default to true. Additionally there will be two INI options which are only added to PHP 7.1 and 7.0 to allow people to immediately upgrade to secure defaults without any risk of breaking other apps. ----- Regards, Niklas
