rfc:distrust-sha1-certificates

This is an old revision of the document!


PHP RFC: Distrust SHA-1 Certificates

Introduction

As of 2016-01-01, the CA/B Forum forbids issuing new SHA-1 certificates. The CA/B has advised CAs starting 2015-01-16 to issue no SHA-1 certificates with an expiration date greater than 2017-01-01, as browsers had already announced (see references) to deprecate and remove SHA-1. NIST recommends that SHA-1 should no longer be used for digital signatures. Starting with Java 9, Java will also no longer accept SHA-1 starting 2017-01-01 by default.

Meanwhile, PHP doesn't have any restrictions here at all. There's no context option that let's users specify which signature algorithms they accept. Even worse, PHP currently seems to accept even MD5 certificates.

Proposal

This RFC proposes to use OpenSSL's new security level to restrict the accepted certificates. The RFC proposes to set this level to 2 if OpenSSL 1.1 is available, otherwise those rules are enforced by PHP itself. Quoting from the above manual page, this security level has the following effect:

Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any ciphersuite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled.

This will be implemented as a new “ssl” context option named “security_level” using the same values as OpenSSL, it defaults to 2 starting 2017-01-01.

Backward Incompatible Changes

MD5 and SHA-1 certificates are no longer accepted by default starting 2017-01-01. This break is intentional and is in line with the CA/B rules and major browser policies.

Proposed PHP Version(s)

All supported versions, because of the security impact.

RFC Impact

Browsers start on 2017-01-01 with no longer accepting SHA-1 certificates, too. Impact is expected to be rather low. People in need of SHA-1 certificates, e.g. for private CAs, can set the mentioned context option to 0 to get the previous behavior, but are strongly discouraged to do so.

Future Scope

The default can be increased later should the need arise.

Proposed Voting Choices

Requires a 2/3 majority.

Patches and Tests

TBD.

Implementation

TBD.

References

Rejected Features

  • Default value for signature_algorithms
rfc/distrust-sha1-certificates.1480349654.txt.gz · Last modified: 2017/09/22 13:28 (external edit)