> -----Original Message----- > From: Niklas Keller [mailto:m...@kelunik.com] > Sent: Tuesday, July 4, 2017 8:21 PM > To: Anatol Belski <weltl...@outlook.de> > Cc: Sara Golemon <poll...@php.net>; Jakub Zelenka <bu...@php.net>; PHP > Internals <internals@lists.php.net> > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates > > 2017-07-04 13:33 GMT+02:00 Anatol Belski <weltl...@outlook.de > <mailto:weltl...@outlook.de> >: > > An INI option doesn't seem necessary. If there's a stream context > option, the existing code has to be touched. Those who do it, know what they > do. Same as with the other issue about TLS - stable branches, that have active > users already, we shouldn't enforce the change, but just offer it. > > > > The issue without INI option is that it requires a code change. We can't just > tell > people "better apply this configuration change to have secure TLS". I'd > definitely > want this to be enabled _everywhere_. > > > I'd be also against an INI option in the sense it's being suggested, > because it would be not useful in 7.2 and above. As you mention also, they may > have the reverse effect in 7.2. > > > We can prevent the reverse effect by ignoring it if it has bad security > effects. > > > The current RFC doesn't mention any INI, and I think it's too much > inconsistency having both ini and stream context. > > > Forget about everything that's in the RFC about the actual implementation. > It's > an older idea that needs to be updated based on what's suggested and seems > acceptable. > But the RFC is what you wrote about some days ago. Anything I told is based on the RFC and the previous conversations. My understanding was, that you were intended to push the exact RFC to vote. If you tell now there's no approach and the RFC has to be ignored, then it doesn't help. If there's another approach, so please present it.
Regards Anatol
