Re: [PHP-DEV] OpenSSL - New Defaults

2016-11-07 Thread Fleshgrinder
On 11/7/2016 3:41 PM, Alice Wonder wrote: > On 11/07/2016 04:29 AM, Nikita Nefedov wrote: >> It might make even more sense to not provide a default here at all. As >> history shows that those methods that are considered secure today can >> become less-than-desirably secure in a couple of years. Whi

Re: [PHP-DEV] OpenSSL - New Defaults

2016-11-07 Thread Alice Wonder
On 11/07/2016 04:29 AM, Nikita Nefedov wrote: *snip* Hey, It might make even more sense to not provide a default here at all. As history shows that those methods that are considered secure today can become less-than-desirably secure in a couple of years. Which means the same cycle of depr

Re: [PHP-DEV] OpenSSL - New Defaults

2016-11-07 Thread Nikita Nefedov
> On 7 Nov 2016, at 03:35, Scott Arciszewski wrote: > >> On Sun, Nov 6, 2016 at 2:19 PM, Jakub Zelenka wrote: >> Hi, >> >> On Thu, Nov 3, 2016 at 4:11 PM, Scott Arciszewski >> wrote: >>> >>> Hi, >>> >>> Can we change openssl_public_encrypt() and openssl_private_decrypt() from >>> defaultin

Re: [PHP-DEV] OpenSSL - New Defaults

2016-11-06 Thread Scott Arciszewski
On Sun, Nov 6, 2016 at 2:19 PM, Jakub Zelenka wrote: > Hi, > > On Thu, Nov 3, 2016 at 4:11 PM, Scott Arciszewski > wrote: >> >> Hi, >> >> Can we change openssl_public_encrypt() and openssl_private_decrypt() from >> defaulting to PKCS1v1.5 padding, in favor of defaulting to OAEP? >> >> I'll create

Re: [PHP-DEV] OpenSSL - New Defaults

2016-11-06 Thread Niklas Keller
2016-11-06 20:19 GMT+01:00 Jakub Zelenka : > Hi, > > On Thu, Nov 3, 2016 at 4:11 PM, Scott Arciszewski > wrote: > > > Hi, > > > > Can we change openssl_public_encrypt() and openssl_private_decrypt() from > > defaulting to PKCS1v1.5 padding, in favor of defaulting to OAEP? > > > > I'll create an R

Re: [PHP-DEV] OpenSSL - New Defaults

2016-11-06 Thread Jakub Zelenka
Hi, On Thu, Nov 3, 2016 at 4:11 PM, Scott Arciszewski wrote: > Hi, > > Can we change openssl_public_encrypt() and openssl_private_decrypt() from > defaulting to PKCS1v1.5 padding, in favor of defaulting to OAEP? > > I'll create an RFC for this later. It will just prevent a lot of issues. > > To

[PHP-DEV] OpenSSL - New Defaults

2016-11-03 Thread Scott Arciszewski
Hi, Can we change openssl_public_encrypt() and openssl_private_decrypt() from defaulting to PKCS1v1.5 padding, in favor of defaulting to OAEP? I'll create an RFC for this later. It will just prevent a lot of issues. To wit: - https://framework.zend.com/security/advisory/ZF2015-10 - https://gith