>
> I just pushed support for security_level [1] which is more comprehensive
> and the patch is also very simple.
>
> Apology for such last minute addition but I felt that it is really useful
> for 7.2 and I have already messaged about that and haven't heard any
> objections. Of course if anyone fe
Hey,
On Mon, Jul 17, 2017 at 8:58 AM, Niklas Keller wrote:
> Hi,
>>
>> > After reading related discussion on openssl-users [1], I'm not so
>> sure if
>> > we should be doing that at all...
>> >
>> > Especially I agree with this bit:
>> >
>> > "Making your code more comple
>
> Hi,
>
> > After reading related discussion on openssl-users [1], I'm not so
> sure if
> > we should be doing that at all...
> >
> > Especially I agree with this bit:
> >
> > "Making your code more complex is a far higher risk than a
> practical
> > certificate forg
Hi,
> After reading related discussion on openssl-users [1], I'm not so sure
> if
> we should be doing that at all...
>
> Especially I agree with this bit:
>
> "Making your code more complex is a far higher risk than a practical
> certificate forgery based on a col
> > > To: Niklas Keller
> > > Cc: Sara Golemon ; Jakub Zelenka ; PHP
> > > Internals
> > > Subject: RE: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
> > >
> > > Morning, guys,
> > >
> > > > -Original Message-
&g
gt; To: Anatol Belski
> > > Cc: Sara Golemon ; Jakub Zelenka ; PHP
> > > Internals
> > > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
> > >
> > > Ok, so you strive to create a completely new RFC with a solution
>
Hi,
> -Original Message-
> From: Anatol Belski [mailto:weltl...@outlook.de]
> Sent: Thursday, July 6, 2017 4:52 PM
> To: Niklas Keller
> Cc: Sara Golemon ; Jakub Zelenka ; PHP
> Internals
> Subject: RE: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificat
Morning, guys,
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Wednesday, July 5, 2017 4:39 PM
> To: Anatol Belski
> Cc: Sara Golemon ; Jakub Zelenka ; PHP
> Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
r
> > Cc: Anatol Belski ; Sara Golemon ;
> PHP
> > Internals
> > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
> >
> > Hi,
> >
> >
> > On Tue, Jul 4, 2017 at 10:13 PM, Niklas Keller > <mailto:m...@kelunik.com> > wrote:
>
>
> Ok, so you strive to create a completely new RFC with a solution based on
> today's situation. I think you still don't see my point. Say there's
> insecure_allow_sha1_signature, which is a stream context. Then
>
> - in 7.0 and 7.1
> - if absent, insecure_allow_sha1_signature = true
> - if p
Hi Jakub,
> -Original Message-
> From: jakub@gmail.com [mailto:jakub@gmail.com] On Behalf Of Jakub
> Zelenka
> Sent: Wednesday, July 5, 2017 3:24 PM
> To: Niklas Keller
> Cc: Anatol Belski ; Sara Golemon ; PHP
> Internals
> Subject: Re: [PHP-DEV]
Hi Davey,
> -Original Message-
> From: m...@daveyshafik.com [mailto:m...@daveyshafik.com] On Behalf Of Davey
> Shafik
> Sent: Tuesday, July 4, 2017 8:53 AM
> To: Niklas Keller
> Cc: Sara Golemon ; Anatol Belski ;
> Jakub Zelenka ; PHP Internals
> Subject
Hi,
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Wednesday, July 5, 2017 9:43 AM
> To: Anatol Belski
> Cc: Sara Golemon ; Jakub Zelenka ; PHP
> Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
>
>
Hi,
On Tue, Jul 4, 2017 at 10:13 PM, Niklas Keller wrote:
> But the RFC is what you wrote about some days ago. Anything I told is
>> based on the RFC and the previous conversations. My understanding was, that
>> you were intended to push the exact RFC to vote. If you tell now there's no
>> appro
>
> > But the RFC is what you wrote about some days ago. Anything I told
> is
> > based on the RFC and the previous conversations. My understanding was,
> that
> > you were intended to push the exact RFC to vote. If you tell now there's
> no
> > approach and the RFC has to be ignored, then it
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Tuesday, July 4, 2017 11:14 PM
> To: Anatol Belski
> Cc: Sara Golemon ; Jakub Zelenka ; PHP
> Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
>
> Bu
>
> But the RFC is what you wrote about some days ago. Anything I told is
> based on the RFC and the previous conversations. My understanding was, that
> you were intended to push the exact RFC to vote. If you tell now there's no
> approach and the RFC has to be ignored, then it doesn't help. If th
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Tuesday, July 4, 2017 8:21 PM
> To: Anatol Belski
> Cc: Sara Golemon ; Jakub Zelenka ; PHP
> Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
>
> 2017-0
> internals@lists.php.net>
> > Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
> >
> > I think the best approach for now would be that:
> >
> > Add two new context options for the "ssl" wrapper:
> > "insecure_allow_md5_signature&quo
2017-07-04 13:33 GMT+02:00 Anatol Belski :
> Hi,
>
> > -Original Message-
> > From: Niklas Keller [mailto:m...@kelunik.com]
> > Sent: Monday, July 3, 2017 8:12 PM
> > To: Sara Golemon
> > Cc: Anatol Belski ; Jakub Zelenka ;
> PHP
> > I
Hi,
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Monday, July 3, 2017 8:12 PM
> To: Sara Golemon
> Cc: Anatol Belski ; Jakub Zelenka ; PHP
> Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
>
> 2017
Hi Sara,
> -Original Message-
> From: p...@golemon.com [mailto:p...@golemon.com] On Behalf Of Sara
> Golemon
> Sent: Monday, July 3, 2017 7:22 PM
> To: Anatol Belski
> Cc: Niklas Keller ; Jakub Zelenka ; PHP
> Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Dis
Hi Niklas,
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Monday, July 3, 2017 7:13 PM
> To: Anatol Belski ; Sara Golemon
> Cc: Jakub Zelenka ; PHP Internals
> Subject: Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
>
> I thi
It should be noted that Certificate Authorities (CAs) haven't been issuing
SHA-1 certs since December 31st 2015.
I think the best solution if possible, would be to treat MD5 and SHA-1
certs as invalid in _all_ supported versions of PHP and requiring that
the verify_peer
option be set to false to a
2017-07-03 19:24 GMT+02:00 Sara Golemon :
> On Mon, Jul 3, 2017 at 1:12 PM, Niklas Keller wrote:
> > Additionally there will be two INI options
> > which are only added to PHP 7.1 and 7.0 to allow people to immediately
> > upgrade to secure defaults without any risk of breaking other apps.
> >
>
On Mon, Jul 3, 2017 at 1:12 PM, Niklas Keller wrote:
> Additionally there will be two INI options
> which are only added to PHP 7.1 and 7.0 to allow people to immediately
> upgrade to secure defaults without any risk of breaking other apps.
>
I understand what you're going for there, but it's just
On Mon, Jul 3, 2017 at 12:49 PM, Anatol Belski wrote:
> About how to proceed - I'd say the issue is clear and either way
> should be fixed. The RFC chooses the explicit strength approach.
> What I'm a bit concerned about is, that there's no implementation
> by this time, neither for 7.2 nor for lo
>
> I haven't followed the discussion back then, but just read through. The
> discussion seems unfinished yet, as far as I understood. The two
> approaches - the one going by security levels, and the other using
> strength bits as a argument. As for me, security levels were more future
> oriented
Hi,
> -Original Message-
> From: Niklas Keller [mailto:m...@kelunik.com]
> Sent: Monday, July 3, 2017 3:14 PM
> To: Jakub Zelenka
> Cc: PHP Internals
> Subject: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates
>
> 2017-05-30 22:26 GMT+02:00 Jakub Zelenka :
>
> > On Mon, May 29, 2017 at
2017-05-29 16:03 GMT+02:00 Lauri Kenttä :
> On 2017-05-29 13:58, Niklas Keller wrote:
>
>> I have updated the RFC to use a "min_signature_bits" setting instead.
>>
>
> At least that name is misleading. Most PHP users would probably wonder why
> a setting of 128 does not allow the 160-bit hash from
On 2017-05-29 13:58, Niklas Keller wrote:
I have updated the RFC to use a "min_signature_bits" setting instead.
At least that name is misleading. Most PHP users would probably wonder
why a setting of 128 does not allow the 160-bit hash from SHA-1 or the
512-bit RSA. So the name should be more
31 matches
Mail list logo
