Hi Thomas, > -----Original Message----- > From: Thomas Hruska [mailto:thru...@cubiclesoft.com] > Sent: Tuesday, May 9, 2017 5:33 PM > To: PHP Development <internals@lists.php.net> > Subject: [PHP-DEV] TLS v1.2 -only- deployments > > Over the past two weeks, I've observed quite a bit of PHP 7+ userland code > breaking due to remote hosts switching to a TLS 1.2 only policy. > For various specific reasons, I strongly suspect that PCI DSS 3.1 > implementations > or compliance audits against that spec have something to do with the changes > that I'm seeing: > > https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls > > In just the last two weeks, I've seen completely unrelated servers of various > vendors go offline for an upgrade. When they come back up a short bit later, > they are suddenly configured for TLS 1.2 only. Running a Qualys SSL labs test > confirms the changes. It's a rather specific change to encounter in such a > short > period of time. > > PHP userland code (e.g. stream_socket_client()) is unable to connect to such > hosts via "tls://" host strings. The string has to be updated to use the > version- > specific string "tlsv1.2://" before the connecting code starts working again. > What were interesting is to know some exact servers you mention to verify, if it were possible to call them by name. In general, probably having some reliable stats on the matter were not bad. Particularly with the reason you suspect - so if the changes are driven by the payment branch, they probably should be respected by both apps and servers. If some server providers do changes suddenly, thus breaching customer apps, we need to evaluate the extent of the breach. Fe stats linked by the Qualys labs itself tell there are still over 90% of of about 140 000 servers supporting TLS 1.0. OFC. Though, there are some billions of servers around the globe, so not sure how the stats are representative. I think in any case, especially if apps are branch specific, explicit TSL 1.2 is probably the best way, like anything explicit in security.
Regards Anatol
