This is an old revision of the document!
PHP RFC: Distrust SHA-1 Certificates
- Version: 0.1
- Date: 2016-11-25
- Author: Niklas Keller firstname.lastname@example.org
- Status: Under Discussion
- First Published at: http://wiki.php.net/rfc/distrust-sha1-certificates
As of 2016-01-01, the CA/B Forum forbids issuing new SHA-1 certificates. The CA/B has advised CAs starting 2015-01-16 to issue no SHA-1 certificates with an expiration date greater than 2017-01-01, as browsers had already announced (see references) to deprecate and remove SHA-1. NIST recommends that SHA-1 should no longer be used for digital signatures. Starting with Java 9, Java will also no longer accept SHA-1 starting 2017-01-01 by default. PHP does not even provide a context option, yet.
This RFC proposes to add a new
“ssl” context option (
“signature_algorithms”) that defines the accepted algorithms. This context option defaults to SHA-1 and SHA-2 in PHP 5.6, 7.0 and 7.1. Starting with PHP 7.2, this will default to SHA-2 only.
Default for 5.6, 7.0 and 7.1
"RSA+SHA1:DSA+SHA1:ECDSA+SHA1" . "RSA+SHA224:DSA+SHA224:ECDSA+SHA224:" . "RSA+SHA256:DSA+SHA256:ECDSA+SHA256:" . "RSA+SHA384:DSA+SHA384:ECDSA+SHA384:" . "RSA+SHA512:DSA+SHA512:ECDSA+SHA512"
Default for 7.2
"RSA+SHA224:DSA+SHA224:ECDSA+SHA224:" . "RSA+SHA256:DSA+SHA256:ECDSA+SHA256:" . "RSA+SHA384:DSA+SHA384:ECDSA+SHA384:" . "RSA+SHA512:DSA+SHA512:ECDSA+SHA512"
Backward Incompatible Changes
SHA-1 certificates are no longer accepted by default starting in PHP 7.2. This change already happens to be almost a year late, as PHP 7.2 is expected to be released near 2017-12-01. This change is justified by the new CA/B rules, browser changes and thus industry standards.
Proposed PHP Version(s)
PHP 5.6, 7.0, 7.1 and 7.2. Only 7.2 defaults to the new behavior.
None expected. Browsers already start on 2017-01-01 with no longer accepting SHA-1 certificates. PHP 7.2 will be released long after 2017-01-01.
Once SHA-2 should be become obsolete, the default can be adjusted accordingly.
Proposed Voting Choices
Requires a 2/3 majority.
Patches and Tests
Keep this updated with features that were discussed on the mail lists.