Hi Davey, > -----Original Message----- > From: m...@daveyshafik.com [mailto:m...@daveyshafik.com] On Behalf Of Davey > Shafik > Sent: Tuesday, July 4, 2017 8:53 AM > To: Niklas Keller <m...@kelunik.com> > Cc: Sara Golemon <poll...@php.net>; Anatol Belski <weltl...@outlook.de>; > Jakub Zelenka <bu...@php.net>; PHP Internals <internals@lists.php.net> > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates > > It should be noted that Certificate Authorities (CAs) haven't been issuing > SHA-1 > certs since December 31st 2015. > > I think the best solution if possible, would be to treat MD5 and SHA-1 certs > as > invalid in _all_ supported versions of PHP and requiring that the verify_peer > option be set to false to accept them. > Wouldn't verify_peer introduce another issue, that not only md5 and sha1 but also any certs would be accepted, that normally shouldn't be?
Regards Anatol