>
> I just pushed support for security_level [1] which is more comprehensive
> and the patch is also very simple.
>
> Apology for such last minute addition but I felt that it is really useful
> for 7.2 and I have already messaged about that and haven't heard any
> objections. Of course if anyone fe
Hey,
On Mon, Jul 17, 2017 at 8:58 AM, Niklas Keller wrote:
> Hi,
>>
>> > After reading related discussion on openssl-users [1], I'm not so
>> sure if
>> > we should be doing that at all...
>> >
>> > Especially I agree with this bit:
>> >
>> > "Making your code more comple
>
> Hi,
>
> > After reading related discussion on openssl-users [1], I'm not so
> sure if
> > we should be doing that at all...
> >
> > Especially I agree with this bit:
> >
> > "Making your code more complex is a far higher risk than a
> practical
> > certificate forg
Hi,
> After reading related discussion on openssl-users [1], I'm not so sure
> if
> we should be doing that at all...
>
> Especially I agree with this bit:
>
> "Making your code more complex is a far higher risk than a practical
> certificate forgery based on a col
> > > To: Niklas Keller
> > > Cc: Sara Golemon ; Jakub Zelenka ; PHP
> > > Internals
> > > Subject: RE: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
> > >
> > > Morning, guys,
> > >
> > > > -Original Message-
&g
gt; To: Anatol Belski
> > > Cc: Sara Golemon ; Jakub Zelenka ; PHP
> > > Internals
> > > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
> > >
> > > Ok, so you strive to create a completely new RFC with a solution
>
Hi,
> -Original Message-
> From: Anatol Belski [mailto:weltl...@outlook.de]
> Sent: Thursday, July 6, 2017 4:52 PM
> To: Niklas Keller
> Cc: Sara Golemon ; Jakub Zelenka ; PHP
> Internals
> Subject: RE: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificat
Morning, guys,
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Wednesday, July 5, 2017 4:39 PM
> To: Anatol Belski
> Cc: Sara Golemon ; Jakub Zelenka ; PHP
> Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
r
> > Cc: Anatol Belski ; Sara Golemon ;
> PHP
> > Internals
> > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
> >
> > Hi,
> >
> >
> > On Tue, Jul 4, 2017 at 10:13 PM, Niklas Keller > <mailto:m...@kelunik.com> > wrote:
>
>
> Ok, so you strive to create a completely new RFC with a solution based on
> today's situation. I think you still don't see my point. Say there's
> insecure_allow_sha1_signature, which is a stream context. Then
>
> - in 7.0 and 7.1
> - if absent, insecure_allow_sha1_signature = true
> - if p
Hi Jakub,
> -Original Message-
> From: jakub@gmail.com [mailto:jakub@gmail.com] On Behalf Of Jakub
> Zelenka
> Sent: Wednesday, July 5, 2017 3:24 PM
> To: Niklas Keller
> Cc: Anatol Belski ; Sara Golemon ; PHP
> Internals
> Subject: Re: [PHP-DEV]
Hi Davey,
> -Original Message-
> From: m...@daveyshafik.com [mailto:m...@daveyshafik.com] On Behalf Of Davey
> Shafik
> Sent: Tuesday, July 4, 2017 8:53 AM
> To: Niklas Keller
> Cc: Sara Golemon ; Anatol Belski ;
> Jakub Zelenka ; PHP Internals
> Subject
Hi,
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Wednesday, July 5, 2017 9:43 AM
> To: Anatol Belski
> Cc: Sara Golemon ; Jakub Zelenka ; PHP
> Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
>
>
Hi,
On Tue, Jul 4, 2017 at 10:13 PM, Niklas Keller wrote:
> But the RFC is what you wrote about some days ago. Anything I told is
>> based on the RFC and the previous conversations. My understanding was, that
>> you were intended to push the exact RFC to vote. If you tell now there's no
>> appro
>
> > But the RFC is what you wrote about some days ago. Anything I told
> is
> > based on the RFC and the previous conversations. My understanding was,
> that
> > you were intended to push the exact RFC to vote. If you tell now there's
> no
> > approach and the RFC has to be ignored, then it
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Tuesday, July 4, 2017 11:14 PM
> To: Anatol Belski
> Cc: Sara Golemon ; Jakub Zelenka ; PHP
> Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
>
> Bu
>
> But the RFC is what you wrote about some days ago. Anything I told is
> based on the RFC and the previous conversations. My understanding was, that
> you were intended to push the exact RFC to vote. If you tell now there's no
> approach and the RFC has to be ignored, then it doesn't help. If th
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Tuesday, July 4, 2017 8:21 PM
> To: Anatol Belski
> Cc: Sara Golemon ; Jakub Zelenka ; PHP
> Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
>
> 2017-0
> internals@lists.php.net>
> > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
> >
> > I think the best approach for now would be that:
> >
> > Add two new context options for the "ssl" wrapper:
> > "insecure_allow_md5_signature&quo
2017-07-04 13:33 GMT+02:00 Anatol Belski :
> Hi,
>
> > -Original Message-
> > From: Niklas Keller [mailto:m...@kelunik.com]
> > Sent: Monday, July 3, 2017 8:12 PM
> > To: Sara Golemon
> > Cc: Anatol Belski ; Jakub Zelenka ;
> PHP
> > I
Hi,
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Monday, July 3, 2017 8:12 PM
> To: Sara Golemon
> Cc: Anatol Belski ; Jakub Zelenka ; PHP
> Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
>
> 2017
Hi Sara,
> -Original Message-
> From: p...@golemon.com [mailto:p...@golemon.com] On Behalf Of Sara
> Golemon
> Sent: Monday, July 3, 2017 7:22 PM
> To: Anatol Belski
> Cc: Niklas Keller ; Jakub Zelenka ; PHP
> Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Dis
Hi Niklas,
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Monday, July 3, 2017 7:13 PM
> To: Anatol Belski ; Sara Golemon
> Cc: Jakub Zelenka ; PHP Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
>
> I thi
It should be noted that Certificate Authorities (CAs) haven't been issuing
SHA-1 certs since December 31st 2015.
I think the best solution if possible, would be to treat MD5 and SHA-1
certs as invalid in _all_ supported versions of PHP and requiring that
the verify_peer
option be set to false to a
2017-07-03 19:24 GMT+02:00 Sara Golemon :
> On Mon, Jul 3, 2017 at 1:12 PM, Niklas Keller wrote:
> > Additionally there will be two INI options
> > which are only added to PHP 7.1 and 7.0 to allow people to immediately
> > upgrade to secure defaults without any risk of breaking other apps.
> >
>
On Mon, Jul 3, 2017 at 1:12 PM, Niklas Keller wrote:
> Additionally there will be two INI options
> which are only added to PHP 7.1 and 7.0 to allow people to immediately
> upgrade to secure defaults without any risk of breaking other apps.
>
I understand what you're going for there, but it's just
On Mon, Jul 3, 2017 at 12:49 PM, Anatol Belski wrote:
> About how to proceed - I'd say the issue is clear and either way
> should be fixed. The RFC chooses the explicit strength approach.
> What I'm a bit concerned about is, that there's no implementation
> by this time, neither for 7.2 nor for lo
>
> I haven't followed the discussion back then, but just read through. The
> discussion seems unfinished yet, as far as I understood. The two
> approaches - the one going by security levels, and the other using
> strength bits as a argument. As for me, security levels were more future
> oriented
Hi,
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Monday, July 3, 2017 3:14 PM
> To: Jakub Zelenka
> Cc: PHP Internals
> Subject: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
>
> 2017-05-30 22:26 GMT+02:00 Jakub Zelenka :
>
2017-05-30 22:26 GMT+02:00 Jakub Zelenka :
> On Mon, May 29, 2017 at 9:16 PM, Niklas Keller wrote:
>
>> 2017-05-29 22:00 GMT+02:00 Jakub Zelenka :
>>
>>> On Mon, May 29, 2017 at 11:58 AM, Niklas Keller wrote:
>>>
Morning Internals,
I have updated the RFC to use a "min_signature_bi
On Mon, May 29, 2017 at 9:16 PM, Niklas Keller wrote:
> 2017-05-29 22:00 GMT+02:00 Jakub Zelenka :
>
>> On Mon, May 29, 2017 at 11:58 AM, Niklas Keller wrote:
>>
>>> Morning Internals,
>>>
>>> I have updated the RFC to use a "min_signature_bits" setting instead.
>>>
>>>
>> Wouldn't be better use
On Tue, May 30, 2017 at 6:51 AM, Niklas Keller wrote:
>
> do you know how I can check whether a certificate is in the trust store or
> not?
>
>
I guess it depends what you want to do. If you want to check if the cert is
in cert store loaded in the SSL struct, then you could get it using
SSL_get_c
Hi Jakub,
do you know how I can check whether a certificate is in the trust store or
not?
Regards, Niklas
2017-05-29 22:00 GMT+02:00 Jakub Zelenka :
> On Mon, May 29, 2017 at 11:58 AM, Niklas Keller wrote:
>
>> Morning Internals,
>>
>> I have updated the RFC to use a "min_signature_bits" setti
2017-05-29 16:03 GMT+02:00 Lauri Kenttä :
> On 2017-05-29 13:58, Niklas Keller wrote:
>
>> I have updated the RFC to use a "min_signature_bits" setting instead.
>>
>
> At least that name is misleading. Most PHP users would probably wonder why
> a setting of 128 does not allow the 160-bit hash from
2017-05-29 22:00 GMT+02:00 Jakub Zelenka :
> On Mon, May 29, 2017 at 11:58 AM, Niklas Keller wrote:
>
>> Morning Internals,
>>
>> I have updated the RFC to use a "min_signature_bits" setting instead.
>>
>>
> Wouldn't be better use security levels instead as it is in OpenSSL? Of
> course I mean ju
On Mon, May 29, 2017 at 11:58 AM, Niklas Keller wrote:
> Morning Internals,
>
> I have updated the RFC to use a "min_signature_bits" setting instead.
>
>
Wouldn't be better use security levels instead as it is in OpenSSL? Of
course I mean just for sig level to not re-implement everything. Basical
On 2017-05-29 13:58, Niklas Keller wrote:
I have updated the RFC to use a "min_signature_bits" setting instead.
At least that name is misleading. Most PHP users would probably wonder
why a setting of 128 does not allow the 160-bit hash from SHA-1 or the
512-bit RSA. So the name should be more
Morning Internals,
I have updated the RFC to use a "min_signature_bits" setting instead.
Please share your thoughts.
https://wiki.php.net/rfc/distrust-sha1-certificates
Regards, Niklas
2016-11-26 16:49 GMT+01:00 Niklas Keller :
> Morning Internals,
>
> I plan to distrust SHA-1 certificates by
38 matches
Mail list logo
