rfc:distrust-sha1-certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:distrust-sha1-certificates [2016/11/26 15:32]
kelunik Add implementation details
rfc:distrust-sha1-certificates [2017/09/22 13:28] (current)
Line 1: Line 1:
 ====== PHP RFC: Distrust SHA-1 Certificates ====== ====== PHP RFC: Distrust SHA-1 Certificates ======
  
-  * Version: 0.1+  * Version: 0.3
   * Date: 2016-11-25   * Date: 2016-11-25
 +  * Last Update: 2017-05-29
   * Author: Niklas Keller <me@kelunik.com>   * Author: Niklas Keller <me@kelunik.com>
-  * Status: Draft+  * Status: Under Discussion
   * First Published at: http://wiki.php.net/rfc/distrust-sha1-certificates   * First Published at: http://wiki.php.net/rfc/distrust-sha1-certificates
  
 ===== Introduction ===== ===== Introduction =====
  
-As of 2016-01-01, the CA/B Forum forbids issuing new SHA-1 certificates. The CA/B has advised CAs starting 2015-01-16 to issue no SHA-1 certificates with an expiration date greater than 2017-01-01, as browsers had already announced (see references) to deprecate and remove SHA-1. [[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf|NIST recommends that SHA-1 should no longer be used for digital signatures]]. Starting with Java 9, [[http://openjdk.java.net/jeps/288|Java will also no longer accept SHA-1 starting 2017-01-01 by default]]. [[http://php.net/manual/en/context.ssl.php|PHP does not even provide a context option]], yet.+As of 2016-01-01, the CA/B Forum forbids issuing new SHA-1 certificates. The CA/B has advised CAs starting 2015-01-16 to issue no SHA-1 certificates with an expiration date greater than 2017-01-01, as browsers had already announced (see references) to deprecate and remove SHA-1. [[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf|NIST recommends]] that SHA-1 should no longer be used for digital signatures. Starting with Java 9, [[http://openjdk.java.net/jeps/288|Java will also no longer accept SHA-1]] starting 2017-01-01 by default. 
  
-===== Proposal =====+Meanwhile, PHP doesn't have any restrictions here at all. There's [[http://php.net/manual/en/context.ssl.php|no context option]] that let's users specify which signature algorithms they accept. Even worse, PHP currently accepts even MD5 certificates.
  
-This RFC proposes to add a new ''"ssl"'' context option (''"signature_algorithms"'') that defines the accepted algorithmsThis context option defaults to SHA-1 and SHA-2 in PHP 5.6, 7.0 and 7.1. Starting with PHP 7.2, this will default to SHA-2 only.+As of 23rd of February 2017, [[https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html|SHA-1 is considered broken]]MD5 has been known to be broken for a way longer time.
  
-==== Default for 5.6, 7.0 and 7.1 ====+===== Proposal =====
  
-<code php> +This RFC proposes to introduce a new ''"min_signature_bits"'' context option to restrict the accepted certificate message digestsThe RFC proposes to set this option to ''128'' (accepting SHA2 and better) by default, allowing ''80'' (accepting also SHA1) to be set for legacy applications, but this is strongly discouragedThis setting will be applied to all certificates that are not in the trust store.
-"RSA+SHA1:DSA+SHA1:ECDSA+SHA1" . +
-"RSA+SHA224:DSA+SHA224:ECDSA+SHA224:"+
-"RSA+SHA256:DSA+SHA256:ECDSA+SHA256:"+
-"RSA+SHA384:DSA+SHA384:ECDSA+SHA384:"+
-"RSA+SHA512:DSA+SHA512:ECDSA+SHA512" +
-</code> +
- +
-==== Default for 7.2 ==== +
- +
-<code php> +
-"RSA+SHA224:DSA+SHA224:ECDSA+SHA224:" . +
-"RSA+SHA256:DSA+SHA256:ECDSA+SHA256:"+
-"RSA+SHA384:DSA+SHA384:ECDSA+SHA384:"+
-"RSA+SHA512:DSA+SHA512:ECDSA+SHA512" +
-</code>+
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
  
-SHA-1 certificates are no longer accepted by default starting in PHP 7.2. This change already happens to be almost a year late, as PHP 7.2 is expected to be released near 2017-12-01. This change is justified by the new CA/B rules, browser changes and thus industry standards.+MD5 certificates won't be accepted any longer. SHA-1 certificates are no longer accepted by default starting in PHP 7.2. This break is intentional and is in line with the CA/B rules and major browser policies.
  
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
  
-PHP 5.6, 7.0, 7.1 and 7.2. Only 7.2 defaults to the new behavior.+All supported versions should be updated to restrict the usage of MD5 certificates. All versions except PHP 7.2 should default to ''80'' for lower BC impactPHP 7.2 will default to ''128''.
  
 ===== RFC Impact ===== ===== RFC Impact =====
  
-None expected. Browsers already start on 2017-01-01 with no longer accepting SHA-1 certificates. PHP 7.2 will be released long after 2017-01-01.+Browsers started on 2017-01-01 with no longer accepting SHA-1 certificates. The impact is expected to be rather low. People in need of SHA-1 certificates, e.g. for private CAs, can set the mentioned context option to ''80'' to get the previous behavior (except for MD5 not being accepted), but are strongly discouraged to do so. It is explicitly not possible to set this value lower than 80. There's no option to enable MD5.
  
 ===== Future Scope ===== ===== Future Scope =====
  
-Once SHA-2 should be become obsolete, the default can be adjusted accordingly.+The default can be increased later should the need arise.
  
 ===== Proposed Voting Choices ===== ===== Proposed Voting Choices =====
Line 69: Line 55:
   * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf   * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
   * http://openjdk.java.net/jeps/288   * http://openjdk.java.net/jeps/288
- 
-===== Rejected Features ===== 
-Keep this updated with features that were discussed on the mail lists. 
rfc/distrust-sha1-certificates.1480174359.txt.gz · Last modified: 2017/09/22 13:28 (external edit)