Hey, On Mon, Jul 17, 2017 at 8:58 AM, Niklas Keller <m...@kelunik.com> wrote:
> Hi, >> >> > After reading related discussion on openssl-users [1], I'm not so >> sure if >> > we should be doing that at all... >> > >> > Especially I agree with this bit: >> > >> > "Making your code more complex is a far higher risk than a >> practical >> > certificate forgery based on a collision attack on SHA-1. " >> > >> > The only thing, that makes sense IMHO would be adding support for >> > setting >> > security level only for OpenSSL 1.1. >> > >> > [1] >> > http://openssl.6102.n7.nabble.com/Rejecting-SHA-1-certificates- >> > td71439.html <http://openssl.6102.n7.nabble.com/Rejecting-SHA-1- >> > certificates-td71439.html> >> > >> > >> > Same here actually. While it's trivial to implement with OpenSSL 1.1, >> it's non- >> > trivial before, because there's no API to get the trusted chain AFAIK, >> so we >> > would indeed have to do this inside verify_callback. >> > >> Thanks for the responses and for the discussion link. With that, the >> situation is simplified a lot. This allows for a better conceived patch and >> there's obviously no strong reason to touch the stable branches. >> >> Thanks. >> >> Anatol >> > > @Jakub: Do we want to expose "auth_level" then in case PHP is linked > against OpenSSL 1.1.0+? > > > I just pushed support for security_level [1] which is more comprehensive and the patch is also very simple. Apology for such last minute addition but I felt that it is really useful for 7.2 and I have already messaged about that and haven't heard any objections. Of course if anyone feels strongly against it, I will be happy to reconsider it. Cheers Jakub
