On 5/11/2017 4:08 AM, Anatol Belski wrote:
Hi Thomas,
-----Original Message-----
From: Thomas Hruska [mailto:thru...@cubiclesoft.com]
Sent: Tuesday, May 9, 2017 5:33 PM
To: PHP Development <internals@lists.php.net>
Subject: [PHP-DEV] TLS v1.2 -only- deployments
Over the past two weeks, I've observed quite a bit of PHP 7+ userland code
breaking due to remote hosts switching to a TLS 1.2 only policy.
For various specific reasons, I strongly suspect that PCI DSS 3.1
implementations
or compliance audits against that spec have something to do with the changes
that I'm seeing:
https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls
In just the last two weeks, I've seen completely unrelated servers of various
vendors go offline for an upgrade. When they come back up a short bit later,
they are suddenly configured for TLS 1.2 only. Running a Qualys SSL labs test
confirms the changes. It's a rather specific change to encounter in such a
short
period of time.
PHP userland code (e.g. stream_socket_client()) is unable to connect to such
hosts via "tls://" host strings. The string has to be updated to use the
version-
specific string "tlsv1.2://" before the connecting code starts working again.
What were interesting is to know some exact servers you mention to verify, if
it were possible to call them by name. In general, probably having some
reliable stats on the matter were not bad. Particularly with the reason you
suspect - so if the changes are driven by the payment branch, they probably
should be respected by both apps and servers. If some server providers do
changes suddenly, thus breaching customer apps, we need to evaluate the extent
of the breach. Fe stats linked by the Qualys labs itself tell there are still
over 90% of of about 140 000 servers supporting TLS 1.0. OFC. Though, there are
some billions of servers around the globe, so not sure how the stats are
representative. I think in any case, especially if apps are branch specific,
explicit TSL 1.2 is probably the best way, like anything explicit in security.
Regards
Anatol
Sorry for the delayed reply.
For NDA reasons, I can't tell you which servers or vendors are involved.
All I know is that I saw a bunch of systems across disparate vendors
in a very short amount of time switching to TLS 1.2 only, which left me
confused and wondering what in the world was going on. Only after
someone in a completely unrelated context forwarded me a message they
received from Authorize.net did I make a PCI DSS connection - all of the
systems that changed are involved with PCI compliance and auditing to
various degrees. Authorize.net recently publicly announced that they
are migrating to TLS 1.2 only and have already switched their sandbox
environment over:
https://community.developer.authorize.net/t5/News-and-Announcements/Experiencing-Sandbox-Connection-Issues-TLS-1-2-Is-Now-Required/td-p/57948
--
Thomas Hruska
CubicleSoft President
I've got great, time saving software that you will find useful.
http://cubiclesoft.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
