> > Well it depends if it requires feature available only in the later version >> of OpenSSL which would be the case for the currently proposed version of >> the RFC that would make use of SSL_CTX_set1_sigalgs_list macro. I don't >> think that we should parse the string of allowed sig algs and re-implement >> it for OpenSSL versions that are EOL anyway. It's not something unusual to >> have a feature dependent on the library version. For example we did exactly >> the some for openssl_pbkdf2 that worked only if it was compiled with >> OpenSSL 1.0.0+. So if you had PHP 7.0 and OpenSSL 0.9.8, it wasn't >> available. >> > Having a feature not available is different from having a security issue if you're using the wrong OpenSSL version.
> I have been thinking about the defaults and I don't think we should have > any default value for this. Instead we should concentrate on supporting > security levels [1]. That will give a much better way how to define a > number of bits security. For example if we have selected level 2 to get 112 > bits of security, then the SSH-1 sig algs would be automatically disabled > as it offers only 80 bits of security. It would also disable all other > weaker algs so user couldn't for example use RSA keys shorter than 2048 > bits. That's much better and easier way for users to define the security as > they would just need to set a number (from 0 to 5 atm). I'm aware that > this is supported only by OpenSSL 1.1 but I wouldn't see that as an issue. > At the time the PHP 7.2 is out, there will be much bigger usage of OpenSSL > 1.1 and the users on lower version could still disable it manually. > I've seen that, too. I've been confused by SHA-1 being mentioned at level 4, but I missed that it's only talking about the MAC mechanism there. I guess this is the better alternative, but in any way, we have to fix 5.6+ to remove MD5 support I think. Regards, Niklas > [1] https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_ > security_level.html > > Cheers > > Jakub >
