Hi Davey, > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of Davey > Shafik > Sent: Tuesday, July 4, 2017 8:53 AM > To: Niklas Keller <[email protected]> > Cc: Sara Golemon <[email protected]>; Anatol Belski <[email protected]>; > Jakub Zelenka <[email protected]>; PHP Internals <[email protected]> > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates > > It should be noted that Certificate Authorities (CAs) haven't been issuing > SHA-1 > certs since December 31st 2015. > > I think the best solution if possible, would be to treat MD5 and SHA-1 certs > as > invalid in _all_ supported versions of PHP and requiring that the verify_peer > option be set to false to accept them. > Wouldn't verify_peer introduce another issue, that not only md5 and sha1 but also any certs would be accepted, that normally shouldn't be?
Regards Anatol
