2017-05-30 22:26 GMT+02:00 Jakub Zelenka <bu...@php.net>: > On Mon, May 29, 2017 at 9:16 PM, Niklas Keller <m...@kelunik.com> wrote: > >> 2017-05-29 22:00 GMT+02:00 Jakub Zelenka <bu...@php.net>: >> >>> On Mon, May 29, 2017 at 11:58 AM, Niklas Keller <m...@kelunik.com> wrote: >>> >>>> Morning Internals, >>>> >>>> I have updated the RFC to use a "min_signature_bits" setting instead. >>>> >>>> >>> Wouldn't be better use security levels instead as it is in OpenSSL? Of >>> course I mean just for sig level to not re-implement everything. Basically >>> having sig_level or something like that... >>> >> >> As we can't use the OpenSSL implementation directly, I don't see any >> reason to use arbitrary integers there which you have to look up again. >> Maybe we should fine a totally different way. >> >> > Well we are going to implement security levels at some point anyway as it > is the primary way how to control security strength in OpenSSL 1.1+ so > people will need to look it up anyway. It is also much easier to use than > directly setting security bits IMHO. It might also allow us to simplify > implementation in the future (for example if it gets separated to its own > verify param in the future, we could use that). Also we will be able to > just completely skip that if the main security level is already on that > level or higher (it would be already covered by that). > > Please mind that this is an openssl extension so we should prefer the API > offered by the library and not trying to invent our own solutions. > > Cheers > > Jakub >
What's the way to proceed now? Time is running low for the PHP 7.2 feature freeze. I've implemented it manually for https://github.com/amphp/socket/pull/31 now. The captured chain always seems to contain the trusted certificate as last certificate. Honestly, what isn't secure for the public internet PKI shouldn't be considered secure for other contexts. I'd personally be fine with not even providing a setting other than disabling verify_peer. Regards, Niklas
