====== PHP RFC: Improved SSL / TLS constants ====== * Version: 0.1.1 * Date: 2017-05-15 * Author: Niklas Keller, me@kelunik.com * Status: Merged to 7.2 * First Published at: http://wiki.php.net/rfc/improved-tls-constants ===== Introduction ===== This RFC proposes to change PHP's TLS constants to sane values. This change has been avoided by the [[https://wiki.php.net/rfc/improved-tls-defaults|previous RFC for PHP 5.6]] due to BC reasons. This RFCs favors better security instead of backwards compatibility with version intolerant and out of date servers. ===== Proposal ===== * Make ''tls://'' default to TLSv1.0 + TLSv1.1 + TLSv1.2 * Make ''ssl://'' an alias of ''tls://'' * Make ''STREAM_CRYPTO_METHOD_TLS_*'' constants default to TLSv1.0 + TLSv1.1 + TLSv1.2 instead of TLSv1.0 only ''STREAM_CRYPTO_METHOD_TLS_*'' will be changed in the future when newer versions of TLS are available without going through the RFC process. ===== Backward Incompatible Changes ===== This might break connection attempts to TLS servers with only TLS 1.0 enabled and that are version intolerant at the same time. This also breaks ''ssl://'' wrapper connections if only SSL is supported by the remote host, but no TLS. While strongly discouraged, an explicit context option passing ''STREAM_CRYPTO_METHOD_SSLv2_* | STREAM_CRYPTO_METHOD_SSLv3_* | STREAM_CRYPTO_METHOD_TLS'' can be used to restore the old behavior. ===== Proposed PHP Version(s) ===== This change will be merged into 7.2 if accepted. ===== Future Scope ===== In the future ''STREAM_CRYPTO_METHOD_SSLv23_CLIENT'' should be deprecated and SSL support completely removed. ===== Voting ===== This is a simple 50%+1 vote with yes and no options. The voting started on 29th of May 2017 and will end on 5th of June 2017. * Yes * No ===== Patches and Tests ===== * https://github.com/php/php-src/pull/2518 * https://github.com/php/php-src/commit/bec91e1117fd3527897cde2f8a26eab9a20fa3dc ===== References ===== * https://externals.io/thread/864