If we don't drop SSL2 support we might DROWN in technical debt. This would get a massive +1 from me. (Can we consider dropping SSL3 too in 7.2?)
Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com> On Wed, Jul 13, 2016 at 3:11 PM, Jakub Zelenka <bu...@php.net> wrote: > Hi, > > It's been already proposed by Remi using PR [1] so sending it here as well. > I would like to proceed and drop SSL2 support from PHP. Effectively it > means dropping ssl2 stream as it's not already negotiated by default. > > It's been dropped in OpenSSL 1.1 and we don't already support it with > 1.0.2. Considering that I will be merging dropping support for 0.9.8 and > 1.0.0 shortly, it leaves just 1.0.1 that would support it. Considering also > the possible security issues, I think there is no reason to keep it. > > Please let me know if any objections. > > [1] https://github.com/php/php-src/pull/1826 > > Cheers > > Jakub >
