> > I just pushed support for security_level [1] which is more comprehensive > and the patch is also very simple. > > Apology for such last minute addition but I felt that it is really useful > for 7.2 and I have already messaged about that and haven't heard any > objections. Of course if anyone feels strongly against it, I will be happy > to reconsider it. >
Unfortunately I forgot about it, but it defaults to 0, which is equivalent to prior OpenSSL versions. I guess it might make sense for consistency, but we probably want to raise it to at least "1" in PHP 7.3 or maybe even "2". OpenSSL's man page explicitly recommends against setting it higher than "1", but only because of SHA-1, which should be phased out by now. Regards, Niklas
