Hi Niklas, > -----Original Message----- > From: Niklas Keller [mailto:m...@kelunik.com] > Sent: Monday, July 3, 2017 7:13 PM > To: Anatol Belski <weltl...@outlook.de>; Sara Golemon <poll...@php.net> > Cc: Jakub Zelenka <bu...@php.net>; PHP Internals <internals@lists.php.net> > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates > > I think the best approach for now would be that: > > Add two new context options for the "ssl" wrapper: > "insecure_allow_md5_signature" and "insecure_allow_sha1_signature". They > will both default to false starting in PHP 7.2 while the backports to PHP 7.1 > and > 7.0 will default to true. Additionally there will be two INI options which > are only > added to PHP 7.1 and 7.0 to allow people to immediately upgrade to secure > defaults without any risk of breaking other apps. > Same as Ferenc, I couldn't find anything in other languages but this about Java http://openjdk.java.net/jeps/288 . Seems a well thought approach and your suggestion about the stream context is similar.
Probably it is the minimum, whereby the JDK has more flexible options and more constraints, which might be too flexible for us.Anyway, users are more in control about more details, in PHP we still hide many details. For example, consider things like `RSA keySize < 1024`, it is solvable in PHP with the stream context option, but hardly through INI. And this one is fun `SHA1 usage SignedJAR & denyAfter 2017-01-01`, too. Regards Anatol -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
