rfc:distrust-sha1-certificates
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
rfc:distrust-sha1-certificates [2017/05/29 10:54] – update to new mechanism kelunik | rfc:distrust-sha1-certificates [2017/05/29 10:56] – fix typo kelunik |
---|
===== Proposal ===== | ===== Proposal ===== |
| |
This RFC proposes to introduce a new ''"min_signature_bits"'' context option to restrict the accepted certificate message digests. The RFC proposes to set this option to ''128'' (accepting SHA2 and better) by default, allowing ''80'' (accepting also SHA1) to be set for legacy applications, but it is strongly advised doing so. This setting will be applied to all certificates that are not in the trust store. | This RFC proposes to introduce a new ''"min_signature_bits"'' context option to restrict the accepted certificate message digests. The RFC proposes to set this option to ''128'' (accepting SHA2 and better) by default, allowing ''80'' (accepting also SHA1) to be set for legacy applications, but this is strongly discouraged. This setting will be applied to all certificates that are not in the trust store. |
| |
===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== |
| |
MD5 certificates won't any longer be accepted. SHA-1 certificates are no longer accepted by default starting in PHP 7.2. This break is intentional and is in line with the CA/B rules and major browser policies. | MD5 certificates won't be accepted any longer. SHA-1 certificates are no longer accepted by default starting in PHP 7.2. This break is intentional and is in line with the CA/B rules and major browser policies. |
| |
===== Proposed PHP Version(s) ===== | ===== Proposed PHP Version(s) ===== |
rfc/distrust-sha1-certificates.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1